Skip to content
Log In

CCI-000381

Configure the system to provide only organization-defined mission essential capabilities.

Firefox must be configured to disable the installation of extensions.

2 rules found Severity: Medium

Logo

Firefox autoplay must be disabled.

1 rule found Severity: Medium

Logo

Enabled Firefox Cryptomining protection

1 rule found Severity: Medium

Logo

Disable Firefox deprecated ciphers

1 rule found Severity: Medium

Logo

Firefox must be configured to disable form fill assistance.

2 rules found Severity: Medium

Logo

Disable Firefox Pocket

1 rule found Severity: Medium

Logo

Disable Firefox Studies

1 rule found Severity: Medium

Logo

Firefox must be configured so that DNS over HTTPS is disabled.

2 rules found Severity: Medium

Logo

Firefox encrypted media extensions must be disabled.

2 rules found Severity: Medium

Logo

Enabled Firefox Enhanced Tracking Protection

1 rule found Severity: Medium

Logo

Disabled Firefox Extension Recommendations

1 rule found Severity: Medium

Logo

Firefox must be configured to not automatically update installed add-ons and plugins.

2 rules found Severity: Medium

Logo

Firefox feedback reporting must be disabled.

2 rules found Severity: Medium

Logo

Enabled Firefox Fingerprinting Protection

1 rule found Severity: Medium

Logo

Disable JavaScript's Raise Or Lower Windows Capability

1 rule found Severity: Medium

Logo

Disable JavaScript's Moving Or Resizing Windows Capability

1 rule found Severity: Medium

Logo

Disable Firefox network prediction

1 rule found Severity: Medium

Logo

Firefox must be configured to not delete data upon shutdown.

2 rules found Severity: Medium

Logo

The Firefox New Tab page must not show Top Sites, Sponsored Top sites, Pocket Recommendations, Sponsored Pocket Stories, Searches, Highlights, or Snippets.

1 rule found Severity: Medium

Logo

Firefox must be configured to not use a password store with or without a master password.

2 rules found Severity: Medium

Logo

Enable Firefox Pop-up Blocker

1 rule found Severity: Medium

Logo

Firefox private browsing must be disabled.

2 rules found Severity: Medium

Logo

Firefox search suggestions must be disabled.

2 rules found Severity: Medium

Logo

Disable Installed Search Plugins Update Checking

1 rule found Severity: Medium

Logo

Firefox accounts must be disabled.

2 rules found Severity: Medium

Logo

Disable Firefox Telemetry

1 rule found Severity: Medium

Logo

Firefox must not recommend extensions as the user is using the browser.

2 rules found Severity: Medium

Logo

Uninstall abrt-addon-ccpp Package

8 rules found Severity: Low

Logo

Uninstall abrt-addon-kerneloops Package

8 rules found Severity: Low

Logo

Uninstall abrt-addon-python Package

5 rules found Severity: Low

Logo

Uninstall abrt-cli Package

8 rules found Severity: Low

Logo

Uninstall abrt-plugin-logger Package

8 rules found Severity: Low

Logo

Uninstall abrt-plugin-rhtsupport Package

8 rules found Severity: Low

Logo

Uninstall abrt-plugin-sosreport Package

8 rules found Severity: Low

Logo

Uninstall gssproxy Package

13 rules found Severity: Medium

Logo

Uninstall libreport-plugin-logger Package

8 rules found Severity: Low

Logo

Uninstall libreport-plugin-rhtsupport Package

8 rules found Severity: Low

Logo

Disable SCTP Support

26 rules found Severity: Medium

Logo

Disable TIPC Support

32 rules found Severity: Low

Logo

Disable the uvcvideo module

29 rules found Severity: Medium

Logo

Disable At Service (atd)

16 rules found Severity: Medium

Logo

Disable ATM Support

11 rules found Severity: Medium

Logo

Disable CAN Support

13 rules found Severity: Medium

Logo

Disable IEEE 1394 (FireWire) Support

11 rules found Severity: Low

Logo

Disable Mounting of cramfs

21 rules found Severity: Low

Logo

Uninstall Automatic Bug Reporting Tool (abrt)

8 rules found Severity: Medium

Logo

Disable Network Console (netconsole)

5 rules found Severity: Low

Logo

Disable Odd Job Daemon (oddjobd)

13 rules found Severity: Medium

Logo

Uninstall vsftpd Package

19 rules found Severity: High

Logo

Uninstall Sendmail Package

16 rules found Severity: Medium

Logo

Uninstall ypserv Package

15 rules found Severity: High

Logo

Uninstall rsh-server Package

18 rules found Severity: High

Logo

Uninstall telnet-server Package

22 rules found Severity: High

Logo

Uninstall python3-abrt-addon Package

4 rules found Severity: Low

Logo

Enable Kernel Page-Table Isolation (KPTI)

11 rules found Severity: Low

Logo

Disable chrony daemon from acting as server

10 rules found Severity: Low

Logo

Disable network management of chrony daemon

10 rules found Severity: Low

Logo

Uninstall abrt-libs Package

1 rule found Severity: Medium

Logo

Uninstall abrt-server-info-page Package

1 rule found Severity: Medium

Logo

The A10 Networks ADC must not have unnecessary scripts installed.

1 rule found Severity: Medium

Logo

The A10 Networks ADC must use DNS Proxy mode when Global Server Load Balancing is used.

1 rule found Severity: Medium

Logo

Adobe Acrobat Pro DC Continuous PDF file attachments must be blocked.

1 rule found Severity: Medium

Logo

Adobe Acrobat Pro DC Continuous access to unknown websites must be restricted.

1 rule found Severity: Low

Logo

Adobe Acrobat Pro DC Continuous access to websites must be blocked.

1 rule found Severity: Low

Logo

Adobe Acrobat Pro DC Continuous must be configured to block Flash Content.

1 rule found Severity: Medium

Logo

The Adobe Acrobat Pro DC Continuous Send and Track plugin for Outlook must be disabled.

1 rule found Severity: Medium

Logo

Adobe Acrobat Pro DC Continuous must disable the ability to store files on Acrobat.com.

1 rule found Severity: Medium

Logo

Adobe Acrobat Pro DC Continuous Cloud Synchronization must be disabled.

1 rule found Severity: Medium

Logo

Adobe Acrobat Pro DC Continuous Repair Installation must be disabled.

1 rule found Severity: Low

Logo

Adobe Acrobat Pro DC Continuous third-party web connectors must be disabled.

1 rule found Severity: Low

Logo

Adobe Acrobat Pro DC Continuous Webmail must be disabled.

1 rule found Severity: Low

Logo

The Adobe Acrobat Pro DC Continuous Welcome Screen must be disabled.

1 rule found Severity: Low

Logo

Adobe Acrobat Pro DC Continuous SharePoint and Office365 access must be disabled.

1 rule found Severity: Low

Logo

Adobe Reader DC must disable the Adobe Send and Track plugin for Outlook.

1 rule found Severity: Low

Logo

Adobe Reader DC must disable all service access to Document Cloud Services.

1 rule found Severity: Medium

Logo

Adobe Reader DC must disable Cloud Synchronization.

1 rule found Severity: Medium

Logo

Adobe Reader DC must disable the Adobe Repair Installation.

1 rule found Severity: Low

Logo

Adobe Reader DC must disable 3rd Party Web Connectors.

1 rule found Severity: Medium

Logo

Adobe Reader DC must disable Acrobat Upsell.

1 rule found Severity: Low

Logo

Adobe Reader DC must disable Adobe Send for Signature.

1 rule found Severity: Low

Logo

Adobe Reader DC must disable access to Webmail.

1 rule found Severity: Medium

Logo

Adobe Reader DC must disable Online SharePoint Access.

1 rule found Severity: Medium

Logo

Adobe Reader DC must disable the Adobe Welcome Screen.

1 rule found Severity: Low

Logo

Adobe Reader DC must disable Service Upgrades.

1 rule found Severity: Low

Logo

The Arista Multilayer Switch must be configured to disable non-essential capabilities.

1 rule found Severity: Medium

Logo

The CA API Gateway must not have unnecessary services and functions enabled.

1 rule found Severity: Medium

Logo

The CA API Gateway must be configured to remove or disable unrelated or unneeded application proxy services.

1 rule found Severity: Medium

Logo

Citrix Delivery Controller must be configured to disable non-essential capabilities.

1 rule found Severity: Medium

Logo

Delivery Controller must be configured to disable non-essential capabilities.

1 rule found Severity: Medium

Logo

The application must be configured to disable non-essential capabilities.

2 rules found Severity: Medium

Logo

TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.

1 rule found Severity: Medium

Logo

LDAP integration in Docker Enterprise must be configured.

1 rule found Severity: Medium

Logo

The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

1 rule found Severity: Medium

Logo

On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.

1 rule found Severity: Medium

Logo

The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

1 rule found Severity: Medium

Logo

Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

1 rule found Severity: Medium

Logo

The Docker Enterprise self-signed certificates in Universal Control Plane (UCP) must be replaced with DoD trusted, signed certificates.

1 rule found Severity: Medium

Logo

The Docker Enterprise self-signed certificates in Docker Trusted Registry (DTR) must be replaced with DoD trusted, signed certificates.

1 rule found Severity: Medium

Logo

The option in Universal Control Plane (UCP) allowing users and administrators to schedule containers on all nodes, including UCP managers and Docker Trusted Registry (DTR) nodes must be disabled in Docker Enterprise.

1 rule found Severity: Medium

Logo

The Create repository on push option in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.

1 rule found Severity: Medium

Logo

Periodic data usage and analytics reporting in Universal Control Plane (UCP) must be disabled in Docker Enterprise.

1 rule found Severity: Medium

Logo

Periodic data usage and analytics reporting in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.

1 rule found Severity: Medium

Logo

An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.

1 rule found Severity: Medium

Logo

SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.

1 rule found Severity: Medium

Logo

Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.

1 rule found Severity: Medium

Logo

Privileged Linux containers must not be used for Docker Enterprise.

1 rule found Severity: Medium

Logo

SSH must not run within Linux containers for Docker Enterprise.

1 rule found Severity: Medium

Logo

Only required ports must be open on the containers in Docker Enterprise.

1 rule found Severity: Medium

Logo

Docker Enterprise hosts network namespace must not be shared.

1 rule found Severity: High

Logo

Memory usage for all containers must be limited in Docker Enterprise.

1 rule found Severity: Medium

Logo

Docker Enterprise CPU priority must be set appropriately on all containers.

1 rule found Severity: Low

Logo

All Docker Enterprise containers root filesystem must be mounted as read only.

1 rule found Severity: High

Logo

Docker Enterprise host devices must not be directly exposed to containers.

1 rule found Severity: High

Logo

Mount propagation mode must not set to shared in Docker Enterprise.

1 rule found Severity: Medium

Logo

The Docker Enterprise hosts UTS namespace must not be shared.

1 rule found Severity: Medium

Logo

The Docker Enterprise default seccomp profile must not be disabled.

1 rule found Severity: High

Logo

Docker Enterprise exec commands must not be used with privileged option.

1 rule found Severity: High

Logo

Docker Enterprise exec commands must not be used with the user option.

1 rule found Severity: Medium

Logo

cgroup usage must be confirmed in Docker Enterprise.

1 rule found Severity: Medium

Logo

All Docker Enterprise containers must be restricted from acquiring additional privileges.

1 rule found Severity: High

Logo

The Docker Enterprise hosts user namespace must not be shared.

1 rule found Severity: High

Logo

The Docker Enterprise socket must not be mounted inside any containers.

1 rule found Severity: High

Logo

The FortiGate firewall must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.

1 rule found Severity: Medium

Logo

Google Android 12 must be configured to disable developer modes.

2 rules found Severity: Medium

Logo

The HP FlexFabric Switch must be configured to disable non-essential capabilities.

2 rules found Severity: Medium

Logo

The storage system in a hardened configuration must be configured to disable the Remote Copy feature, unless needed.

1 rule found Severity: High

Logo

Default demonstration and sample databases, database objects, and applications must be removed.

7 rules found Severity: Medium

Logo

Unused database components, DBMS software, and database objects must be removed.

9 rules found Severity: Medium

Logo

Unused database components which are integrated in DB2 and cannot be uninstalled must be disabled.

1 rule found Severity: Medium

Logo

Access to external executables must be disabled or restricted.

12 rules found Severity: Medium

Logo

The IBM Aspera Platform must not have unnecessary services and functions enabled.

1 rule found Severity: Medium

Logo

The WebSphere Application Server process must not be started from the command line with the -password option.

1 rule found Severity: Medium

Logo

The WebSphere Application Server files must be owned by the non-root WebSphere user ID.

1 rule found Severity: Medium

Logo

The WebSphere Application Server sample applications must be removed.

1 rule found Severity: Low

Logo

The WebSphere Application Server must remove JREs left by web server and plug-in installers for web servers and plugins running in the DMZ.

1 rule found Severity: Low

Logo

The WebSphere Application Server must be run as a non-admin user.

1 rule found Severity: Medium

Logo

The WebSphere Application Server must disable JSP class reloading.

1 rule found Severity: Medium

Logo

IBM z/VM must be configured to disable non-essential capabilities.

1 rule found Severity: Medium

Logo

The Save commands default file format must be configured.

4 rules found Severity: Medium

Logo

Trust access for VBA must be disallowed.

3 rules found Severity: Medium

Logo

Warning Bar settings for VBA macros must be configured.

5 rules found Severity: Medium

Logo

Warning Bar settings for VBA macros must be configured.

13 rules found Severity: Medium

Logo

The Default file format must be set.

1 rule found Severity: Medium

Logo

Database functionality configurations must be displayed to the user.

2 rules found Severity: Medium

Logo

Microsoft Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.

1 rule found Severity: Medium

Logo

Microsoft Android 11 must be configured to disable developer modes.

2 rules found Severity: Medium

Logo

Motorola Solutions Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.

1 rule found Severity: Medium

Logo

Motorola Solutions Android 11 must be configured to disable developer modes.

1 rule found Severity: Medium

Logo

Motorola Solutions Android 11 must be configured to disable USB mass storage mode.

1 rule found Severity: Medium

Logo

Motorola Solutions Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.

1 rule found Severity: Low

Logo

Firefox must be configured to not automatically check for updated versions of installed search plugins.

1 rule found Severity: Medium

Logo

Firefox must be configured to block pop-up windows.

1 rule found Severity: Medium

Logo

Firefox must be configured to prevent JavaScript from moving or resizing windows.

1 rule found Severity: Medium

Logo

Firefox must be configured to prevent JavaScript from raising or lowering windows.

1 rule found Severity: Medium

Logo

Background submission of information to Mozilla must be disabled.

1 rule found Severity: Medium

Logo

Firefox autoplay must be disabled.

1 rule found Severity: Low

Logo

Firefox network prediction must be disabled.

1 rule found Severity: Medium

Logo

Firefox fingerprinting protection must be enabled.

1 rule found Severity: Medium

Logo

Firefox cryptomining protection must be enabled.

1 rule found Severity: Medium

Logo

Firefox Enhanced Tracking Protection must be enabled.

1 rule found Severity: Medium

Logo

Firefox extension recommendations must be disabled.

1 rule found Severity: Medium

Logo

Firefox deprecated ciphers must be disabled.

1 rule found Severity: Medium

Logo

The Firefox New Tab page must not show Top Sites, Sponsored Top Sites, Pocket Recommendations, Sponsored Pocket Stories, Searches, Highlights, or Snippets.

1 rule found Severity: Medium

Logo

Pocket must be disabled.

1 rule found Severity: Medium

Logo

Firefox Studies must be disabled.

1 rule found Severity: Medium

Logo

Trust access for VBA must be disallowed.

7 rules found Severity: Medium

Logo

The Save commands default file format must be configured.

1 rule found Severity: Low

Logo

Microsoft Android 11 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.

1 rule found Severity: Medium

Logo

Save files default format must be configured.

3 rules found Severity: Medium

Logo

The Save commands default file format must be configured.

3 rules found Severity: Medium

Logo

Exchange must have Send Fatal Errors to Microsoft disabled.

1 rule found Severity: Medium

Logo

Exchange must not send Customer Experience reports to Microsoft.

5 rules found Severity: Medium

Logo

Exchange IMAP4 service must be disabled.

1 rule found Severity: Medium

Logo

Exchange POP3 service must be disabled.

1 rule found Severity: Medium

Logo

Exchange must have the Public Folder virtual directory removed if not in use by the site.

1 rule found Severity: Low

Logo

Exchange must have the Microsoft Active Sync directory removed.

1 rule found Severity: Low

Logo

Exchange Send Fatal Errors to Microsoft must be disabled.

6 rules found Severity: Medium

Logo

The Exchange IMAP4 service must be disabled.

1 rule found Severity: Medium

Logo

The Exchange POP3 service must be disabled.

1 rule found Severity: Medium

Logo

The Opt-In Wizard must be disabled.

2 rules found Severity: Medium

Logo

The Customer Experience Improvement Program for Office must be disabled.

2 rules found Severity: Medium

Logo

Automatic receiving of small updates to improve reliability must be disallowed.

2 rules found Severity: Medium

Logo

The Internet Fax Feature must be disabled.

2 rules found Severity: Medium

Logo

Online content options must be configured for offline content availability.

2 rules found Severity: Medium

Logo

The video informing a user about signing into Office365 must be disabled.

1 rule found Severity: Medium

Logo

The first-run prompt to sign into Office365 must be disabled.

1 rule found Severity: Medium

Logo

The ability to sign into Office365 must be disabled.

1 rule found Severity: Medium

Logo

The ability to automatically hyperlink screenshots within Word, PowerPoint, Excel and Outlook must be disabled.

1 rule found Severity: Medium

Logo

The prompt to save to OneDrive (formerly SkyDrive) must be disabled.

1 rule found Severity: Medium

Logo

Office Presentation Service must be removed as an option for presenting PowerPoint and Word online.

1 rule found Severity: Medium

Logo

The Office Feedback tool must be disabled.

1 rule found Severity: Medium

Logo

Roaming settings must be stored locally and not synchronized to the Microsoft Office roaming settings web service.

1 rule found Severity: Medium

Logo

The ability of the Office Telemetry Agent to periodically upload telemetry data to a shared folder must be disabled.

1 rule found Severity: Medium

Logo

The Office Telemetry Agent and Office applications must be configured to collect telemetry data.

1 rule found Severity: Medium

Logo

Folders in non-default stores, set as folder home pages, must be disallowed.

2 rules found Severity: Medium

Logo

Internet calendar integration in Outlook must be disabled.

1 rule found Severity: Medium

Logo

Microsoft passport Service for content must be disallowed.

1 rule found Severity: Medium

Logo

Hyperlinks to web templates in File | New and task panes must be disabled.

1 rule found Severity: Medium

Logo

Office Live Workspace Integration must be off.

1 rule found Severity: Medium

Logo

The use of personal accounts for OneDrive synchronization must be disabled.

1 rule found Severity: Medium

Logo

Do not include Internet Calendar Integration in Outlook must be enforced.

1 rule found Severity: Medium

Logo

RSS feed synchronization with Common Feed List must be disallowed.

2 rules found Severity: Medium

Logo

RSS Feeds must be disallowed.

2 rules found Severity: Medium

Logo

Dragging Unicode eMail messages to file system must be disallowed.

1 rule found Severity: Medium

Logo

User Entries to Server List must be disallowed.

2 rules found Severity: Medium

Logo

Automatically downloading enclosures on RSS must be disallowed.

3 rules found Severity: Medium

Logo

Dragging Unicode email messages to file system must be disallowed.

1 rule found Severity: Medium

Logo

The use of the weather bar in Outlook must be disabled

1 rule found Severity: Medium

Logo

Internet calendar integration in Outlook must be disabled.

1 rule found Severity: Medium

Logo

User Entries to Server List must be disallowed.

1 rule found Severity: Medium

Logo

SQL Server default account [sa] must have its name changed.

1 rule found Severity: Low

Logo

SQL Server must have the publicly available Northwind sample database removed.

1 rule found Severity: Medium

Logo

SQL Server must have the publicly available pubs sample database removed.

1 rule found Severity: Medium

Logo

SQL Server must have the publicly available AdventureWorks sample database removed.

1 rule found Severity: Medium

Logo

SQL Server must have the SQL Server Data Tools (SSDT) software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the SQL Server Reporting Services (SSRS) software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the SQL Server Integration Services (SSIS) software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the SQL Server Analysis Services (SSAS) software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the SQL Server Distributed Replay Client software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the SQL Server Distributed Replay Controller software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the Full-Text Search software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the Master Data Services software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the SQL Server Replication software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the Data Quality Client software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the Data Quality Services software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the Client Tools SDK software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the Management Tools software component removed if it is unused.

1 rule found Severity: Medium

Logo

SQL Server must have the Filestream feature disabled if it is unused.

1 rule found Severity: Medium

Logo

Unused database components that are integrated in SQL Server and cannot be uninstalled must be disabled.

2 rules found Severity: Medium

Logo

The SQL Server default account [sa] must be disabled.

1 rule found Severity: Medium

Logo

Access to xp_cmdshell must be disabled, unless specifically required and approved.

2 rules found Severity: Medium

Logo

Nutanix AOS must not have the rsh-server package installed.

1 rule found Severity: Medium

Logo

Nutanix AOS must not have the ypserv package installed.

1 rule found Severity: Medium

Logo

Nutanix AOS must not have the telnet-server package installed.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule file_cache_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule vhost_alias_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule env_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule mime_magic_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule negotiation_module directive disabled.

1 rule found Severity: Low

Logo

OHS must not have the LanguagePriority directive enabled.

1 rule found Severity: Low

Logo

OHS must not have the ForceLanguagePriority directive enabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule status_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule info_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule include_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule autoindex_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the IndexOptions directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the AddIconByEncoding directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the AddIconByType directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the AddIcon directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the DefaultIcon directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the ReadmeName directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the HeaderName directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the IndexIgnore directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule dir_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the DirectoryIndex directive disabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule cgi_module directive disabled.

2 rules found Severity: Medium

Logo

OHS must have the LoadModule fastcgi_module disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule cgid_module directive disabled for mpm workers.

1 rule found Severity: Medium

Logo

OHS must have the IfModule cgid_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule mpm_winnt_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the ScriptAlias directive for CGI scripts disabled.

1 rule found Severity: Medium

Logo

OHS must have the ScriptSock directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the cgi-bin directory disabled.

2 rules found Severity: Medium

Logo

OHS must have directives pertaining to certain scripting languages removed from virtual hosts.

2 rules found Severity: Medium

Logo

OHS must have the LoadModule asis_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule imagemap_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule actions_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule speling_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule userdir_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the AliasMatch directive pertaining to the OHS manuals disabled.

1 rule found Severity: Medium

Logo

OHS must have the Directory directive pointing to the OHS manuals disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule auth_basic_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule authz_user_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule authn_file_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule authn_anon_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule proxy_module directive disabled.

2 rules found Severity: Medium

Logo

OHS must have the LoadModule proxy_http_module directive disabled.

2 rules found Severity: Medium

Logo

OHS must have the LoadModule proxy_ftp_module directive disabled.

2 rules found Severity: Medium

Logo

OHS must have the LoadModule proxy_connect_module directive disabled.

2 rules found Severity: Medium

Logo

OHS must have the LoadModule proxy_balancer_module directive disabled.

2 rules found Severity: Medium

Logo

OHS must have the LoadModule cern_meta_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule expires_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule usertrack_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule uniqueid_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the LoadModule setenvif_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the BrowserMatch directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule dumpio_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the IfModule dumpio_module directive disabled.

1 rule found Severity: Low

Logo

OHS must have the Alias /icons/ directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the path to the icons directory disabled.

1 rule found Severity: Medium

Logo

OHS must have the IfModule mpm_winnt_module directive disabled.

1 rule found Severity: Low

Logo

OHS must disable the directive pointing to the directory containing the OHS manuals.

1 rule found Severity: Low

Logo

OHS must have the AliasMatch directive disabled for the OHS manuals.

1 rule found Severity: Medium

Logo

OHS must have the AddHandler directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule cgid_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the IfModule cgid_module directive disabled for the OHS server, virtual host, and directory configuration.

1 rule found Severity: Medium

Logo

OHS must have the LoadModule cgi_module directive disabled within the IfModule mpm_winnt_module directive.

1 rule found Severity: Low

Logo

OHS must have the ScriptAlias /cgi-bin/ directive within a IfModule alias_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have the ScriptSock directive within a IfModule cgid_module directive disabled.

1 rule found Severity: Medium

Logo

OHS must have resource mappings set to disable the serving of certain file types.

1 rule found Severity: Medium

Logo

Users and scripts running on behalf of users must be contained to the document root or home directory tree of OHS.

1 rule found Severity: Medium

Logo

If WebLogic is not in use with OHS, OHS must have the include mod_wl_ohs.conf directive disabled at the server level.

1 rule found Severity: Medium

Logo

If mod_plsql is not in use with OHS, OHS must have the include moduleconf/* directive disabled.

1 rule found Severity: Medium

Logo

Oracle WebLogic must adhere to the principles of least functionality by providing only essential capabilities.

1 rule found Severity: Medium

Logo

The Riverbed Optimization System (RiOS) must not have unrelated or unnecessary services enabled on the host.

1 rule found Severity: Medium

Logo

Riverbed Optimization System (RiOS) must not have unnecessary services and functions enabled.

1 rule found Severity: Medium

Logo

The SEL-2740S must be configured to permit the allowed and necessary ports, functions, protocols, and services.

1 rule found Severity: Medium

Logo

Samsung Android must be configured to disable trust agents. NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.

2 rules found Severity: Medium

Logo

Samsung Android must be configured to disable Face Recognition. NOTE: This requirement is not applicable (NA) for specific biometric authentication factors included in the product Common Criteria evaluation.

2 rules found Severity: Medium

Logo

Samsung Android must be configured to disable developer modes.

10 rules found Severity: Medium

Logo

Samsung Android must be configured to disable USB mass storage mode.

2 rules found Severity: Medium

Logo

Symantec ProxySG must not have unnecessary services and functions enabled.

1 rule found Severity: Medium

Logo

Symantec ProxySG must be configured to remove or disable unrelated or unneeded application proxy services.

1 rule found Severity: Medium

Logo

The NSX-T Tier-1 Gateway must be configured to have the DHCP service disabled if not in use.

1 rule found Severity: Low

Logo

The NSX-T Tier-0 Gateway must be configured to have the DHCP service disabled if not in use.

1 rule found Severity: Low

Logo

The NSX-T Tier-0 Gateway must be configured to have routing protocols disabled if not in use.

1 rule found Severity: Low

Logo

The NSX-T Tier-0 Gateway must be configured to have multicast disabled if not in use.

1 rule found Severity: Low

Logo

The NSX-T Tier-1 Gateway must be configured to have multicast disabled if not in use.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 16 must implement the management setting: Encrypt iTunes backups/Encrypt local backup.

2 rules found Severity: Medium

Logo

iPhone and iPad must have the latest available iOS/iPadOS operating system installed.

5 rules found Severity: High

Logo

Apple iOS/iPadOS 16 must implement the management setting: force Apple Watch wrist detection.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 16 users must complete required training.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable SMB File Sharing unless it is required.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable the Network File System (NFS) daemon unless it is required.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable Location Services.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable Bonjour multicast advertising.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable the UUCP service.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable Internet Sharing.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable Web Sharing.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable AirDrop.

2 rules found Severity: Low

Logo

The macOS system must be configured to disable the iCloud Calendar services.

2 rules found Severity: Low

Logo

The macOS system must be configured to disable the iCloud Reminders services.

2 rules found Severity: Low

Logo

The macOS system must be configured to disable iCloud Address Book services.

2 rules found Severity: Low

Logo

The macOS system must be configured to disable the Mail iCloud services.

1 rule found Severity: Low

Logo

The macOS system must be configured to disable the iCloud Notes services.

2 rules found Severity: Low

Logo

The macOS system must cover or disable the built-in or attached camera when not in use.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable Siri and dictation.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable the system preference pane for Internet Accounts.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable the Cloud Setup services.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable the Privacy Setup services.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable the Cloud Storage Setup services.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable the Siri Setup services.

2 rules found Severity: Medium

Logo

The macOS system must disable iCloud Keychain synchronization.

3 rules found Severity: Medium

Logo

The macOS system must disable iCloud document synchronization.

1 rule found Severity: Medium

Logo

The macOS system must disable iCloud bookmark synchronization.

1 rule found Severity: Medium

Logo

The macOS system must disable iCloud photo library.

1 rule found Severity: Medium

Logo

The macOS system must be configured to disable the system preference pane for TouchID.

1 rule found Severity: Medium

Logo

The macOS system must be configured to disable the system preference pane for Wallet and ApplePay.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable the system preference pane for Siri.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable prompts to configure Touch ID.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable prompts to configure ScreenTime.

2 rules found Severity: Low

Logo

The macOS system must be configured to disable promts to configure Unlock with Watch.

1 rule found Severity: Medium

Logo

The macOS system must be configured to prevent activity continuation between Apple Devices.

1 rule found Severity: Low

Logo

The macOS system must be configured to prevent password proximity sharing requests from nearby Apple Devices.

1 rule found Severity: Medium

Logo

The macOS system must be configured to prevent users from erasing all system content and settings.

2 rules found Severity: Medium

Logo

The Ubuntu operating system must not have the Network Information Service (NIS) package installed.

1 rule found Severity: High

Logo

The Ubuntu operating system must not have the rsh-server package installed.

2 rules found Severity: High

Logo

Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled.

4 rules found Severity: Medium

Logo

The Java permissions must be disallowed (Internet zone).

1 rule found Severity: Medium

Logo

Functionality to drag and drop or copy and paste files must be disallowed (Internet zone).

1 rule found Severity: Medium

Logo

Launching programs and files in IFRAME must be disallowed (Internet zone).

1 rule found Severity: Medium

Logo

Clipboard operations via script must be disallowed (Internet zone).

1 rule found Severity: Medium

Logo

Java permissions must be configured with High Safety (Intranet zone).

1 rule found Severity: Medium

Logo

Java permissions must be configured with High Safety (Trusted Sites zone).

1 rule found Severity: Medium

Logo

Run once selection for running outdated ActiveX controls must be disabled.

1 rule found Severity: Medium

Logo

Enabling outdated ActiveX controls for Internet Explorer must be blocked.

1 rule found Severity: Medium

Logo

Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Internet Zone.

1 rule found Severity: Medium

Logo

Use of the Tabular Data Control (TDC) ActiveX control must be disabled for the Restricted Sites Zone.

1 rule found Severity: Medium

Logo

File downloads must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Java permissions must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Functionality to drag and drop or copy and paste files must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Launching programs and files in IFRAME must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Active scripting must be disallowed (Restricted Sites Zone).

1 rule found Severity: Medium

Logo

Clipboard operations via script must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Internet Explorer must be set to disallow users to add/delete sites.

1 rule found Severity: Medium

Logo

Script-initiated windows without size or position constraints must be disallowed (Internet zone).

1 rule found Severity: Medium

Logo

Script-initiated windows without size or position constraints must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Scriptlets must be disallowed (Internet zone).

1 rule found Severity: Medium

Logo

Automatic prompting for file downloads must be disallowed (Internet zone).

1 rule found Severity: Medium

Logo

Java permissions must be disallowed (Local Machine zone).

1 rule found Severity: Medium

Logo

Java permissions must be disallowed (Locked Down Local Machine zone).

1 rule found Severity: Medium

Logo

Java permissions must be disallowed (Locked Down Intranet zone).

1 rule found Severity: Medium

Logo

Java permissions must be disallowed (Locked Down Trusted Sites zone).

1 rule found Severity: Medium

Logo

Java permissions must be disallowed (Locked Down Restricted Sites zone).

1 rule found Severity: Medium

Logo

Pop-up Blocker must be enforced (Internet zone).

1 rule found Severity: Medium

Logo

Pop-up Blocker must be enforced (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Allow binary and script behaviors must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Automatic prompting for file downloads must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for MK protocol must be enforced (Reserved).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for MK protocol must be enforced (Explorer).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for MK protocol must be enforced (iexplore).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for Restrict File Download must be enforced (Reserved).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for Restrict File Download must be enforced (Explorer).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for Restrict File Download must be enforced (iexplore).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for restricting pop-up windows must be enforced (Reserved).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for restricting pop-up windows must be enforced (Explorer).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for restricting pop-up windows must be enforced (iexplore).

1 rule found Severity: Medium

Logo

Scripting of Java applets must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

AutoComplete feature for forms must be disallowed.

1 rule found Severity: Medium

Logo

Crash Detection management must be enforced.

1 rule found Severity: Medium

Logo

Turn on the auto-complete feature for user names and passwords on forms must be disabled.

1 rule found Severity: Medium

Logo

Scripting of Internet Explorer WebBrowser control property must be disallowed (Internet zone).

1 rule found Severity: Medium

Logo

When uploading files to a server, the local directory path must be excluded (Internet zone).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for Notification Bars must be enforced (Reserved).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for Notification Bars must be enforced (Explorer).

1 rule found Severity: Medium

Logo

Internet Explorer Processes for Notification Bars must be enforced (iexplore).

1 rule found Severity: Medium

Logo

Cross-Site Scripting Filter must be enforced (Internet zone).

1 rule found Severity: Medium

Logo

Scripting of Internet Explorer WebBrowser Control must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

When uploading files to a server, the local directory path must be excluded (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Cross-Site Scripting Filter property must be enforced (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Status bar updates via script must be disallowed (Internet zone).

1 rule found Severity: Medium

Logo

Scriptlets must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Status bar updates via script must be disallowed (Restricted Sites zone).

1 rule found Severity: Medium

Logo

Unused database components that are integrated in the DBMS and cannot be uninstalled must be disabled.

3 rules found Severity: Medium

Logo

Use of external executables must be authorized.

1 rule found Severity: Medium

Logo

OS accounts utilized to run external procedures called by the DBMS must have limited privileges.

2 rules found Severity: Medium

Logo

Unused database components, PostgreSQL software, and database objects must be removed.

3 rules found Severity: Medium

Logo

Unused database components which are integrated in PostgreSQL and cannot be uninstalled must be disabled.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must not have the rsh-server package installed.

1 rule found Severity: High

Logo

The Red Hat Enterprise Linux operating system must not have the ypserv package installed.

1 rule found Severity: High

Logo

The Red Hat Enterprise Linux operating system must not have the telnet-server package installed.

1 rule found Severity: High

Logo

Zebra Android 11 must be configured to disable trust agents.

1 rule found Severity: Medium

Logo

Zebra Android 11 must be configured to disable developer modes.

1 rule found Severity: Medium

Logo

Zebra Android 11 must be configured to disable USB mass storage mode.

1 rule found Severity: Medium

Logo

Zebra Android 11 must allow only the Administrator (EMM) to perform the following management function: Enable/disable location services.

1 rule found Severity: Low

Logo

Default, demonstration and sample databases, database objects, and applications must be removed.

2 rules found Severity: Medium

Logo

Unused database components, EDB Postgres Advanced Server software, and database objects must be removed.

2 rules found Severity: Medium

Logo

Unused database components which are integrated in the EDB Postgres Advanced Server and cannot be uninstalled must be disabled.

2 rules found Severity: Medium

Logo

The BIG-IP Core implementation must be configured so that only functions, ports, protocols, and/or services that are documented for the server/application for which the virtual servers are providing connectivity.

1 rule found Severity: Medium

Logo

The BIG-IP Core implementation must be configured to remove or disable any functions, ports, protocols, and/or services that are not documented as required.

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 17 must implement the management setting: Encrypt backups/Encrypt local backup.

2 rules found Severity: Medium

Logo

Apple iOS/iPadOS 17 must implement the management setting: force Apple Watch wrist detection.

2 rules found Severity: Low

Logo

Apple iOS/iPadOS 17 users must complete required training.

2 rules found Severity: Medium

Logo

Apple iOS/iPadOS 16 must implement the management setting: Not allow automatic completion of Safari browser passcodes.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 16 must implement the management setting: not allow use of Handoff.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 16 must implement the management setting: Disable Allow Shared Albums.

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 16 must implement the management setting: Force Apple Watch wrist detection.

1 rule found Severity: Low

Logo

Stack tracing must be disabled.

1 rule found Severity: Medium

Logo

The shutdown port must be disabled.

1 rule found Severity: Medium

Logo

Unapproved connectors must be disabled.

1 rule found Severity: Medium

Logo

DefaultServlet debug parameter must be disabled.

1 rule found Severity: Low

Logo

DefaultServlet directory listings parameter must be disabled.

1 rule found Severity: Low

Logo

The deployXML attribute must be set to false in hosted environments.

1 rule found Severity: Medium

Logo

Autodeploy must be disabled.

1 rule found Severity: Medium

Logo

xpoweredBy attribute must be disabled.

1 rule found Severity: Low

Logo

Example applications must be removed.

1 rule found Severity: Low

Logo

Tomcat default ROOT web application must be removed.

1 rule found Severity: Low

Logo

Documentation must be removed.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 17 must implement the management setting: not allow automatic completion of Safari browser passcodes.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 17 must implement the management setting: not allow use of Handoff.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 17 must implement the management setting: not allow use of iPhone widgets on Mac.

1 rule found Severity: Low

Logo

The macOS system must be configured to disable the iCloud Mail services.

1 rule found Severity: Low

Logo

The macOS system must disable iCloud Document synchronization.

2 rules found Severity: Medium

Logo

The macOS system must disable iCloud Bookmark synchronization.

1 rule found Severity: Medium

Logo

The macOS system must disable the iCloud Photo Library.

1 rule found Severity: Medium

Logo

The macOS system must be configured to disable the system preference pane for TouchID and Password.

1 rule found Severity: Medium

Logo

The macOS system must be configured to disable prompts to configure Unlock with Watch.

1 rule found Severity: Medium

Logo

The macOS system must be configured to prevent activity continuation between Apple devices.

1 rule found Severity: Low

Logo

The macOS system must be configured to prevent password proximity sharing requests from nearby Apple devices.

1 rule found Severity: Medium

Logo

The Arista router must be configured to have all non-essential capabilities disabled.

1 rule found Severity: Low

Logo

The EMPDEMO databases, database objects, and applications must be removed.

1 rule found Severity: Low

Logo

Default demonstration and sample databases, database objects, and applications must be removed.

1 rule found Severity: Low

Logo

IDMS components that cannot be uninstalled must be disabled.

1 rule found Severity: Low

Logo

Unused database components that are integrated in PostgreSQL and cannot be uninstalled must be disabled.

2 rules found Severity: Medium

Logo

The Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.

1 rule found Severity: Medium

Logo

The Cisco router must be configured to have all non-essential capabilities disabled.

1 rule found Severity: Low

Logo

The Enterprise Voice, Video, and Messaging Endpoint must be configured to disable or remove nonessential capabilities.

1 rule found Severity: Medium

Logo

The F5 BIG-IP appliance must be configured to prohibit or restrict the use of unnecessary or prohibited functions, ports, protocols, and/or services, including those defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: High

Logo

The Enterprise Voice, Video, and Messaging Session Manager must be configured to disable nonessential capabilities.

1 rule found Severity: Medium

Logo

Sites ability to show pop-ups must be disabled.

1 rule found Severity: Medium

Logo

The default search providers name must be set.

1 rule found Severity: Medium

Logo

The default search provider URL must be set to perform encrypted searches.

1 rule found Severity: Medium

Logo

Default search provider must be enabled.

1 rule found Severity: Medium

Logo

The Password Manager must be disabled.

1 rule found Severity: Medium

Logo

The URL protocol schema javascript must be disabled.

1 rule found Severity: Medium

Logo

Metrics reporting to Google must be disabled.

1 rule found Severity: Medium

Logo

Search suggestions must be disabled.

2 rules found Severity: Medium

Logo

Importing of saved passwords must be disabled.

2 rules found Severity: Medium

Logo

WebUSB must be disabled.

2 rules found Severity: Medium

Logo

Google Cast must be disabled.

2 rules found Severity: Medium

Logo

Autoplay must be disabled.

1 rule found Severity: Medium

Logo

Web Bluetooth API must be disabled.

2 rules found Severity: Medium

Logo

The HPE 3PAR OS must be configured to disable nonessential web-services.

1 rule found Severity: Medium

Logo

The HPE 3PAR OS must be configured to disable nonessential Common Information Model services.

1 rule found Severity: Medium

Logo

The HPE 3PAR OS must be configured to disable nonessential VASA VVol services.

1 rule found Severity: Medium

Logo

The HPE 3PAR OS must be configured to disable nonessential Remote Copy services.

1 rule found Severity: Medium

Logo

The AIX qdaemon must be disabled if local or remote printing is not required.

1 rule found Severity: Medium

Logo

If AIX system does not act as a remote print server for other servers, the lpd daemon must be disabled.

1 rule found Severity: Medium

Logo

If AIX system does not support either local or remote printing, the piobe service must be disabled.

1 rule found Severity: Medium

Logo

If there are no X11 clients that require CDE on AIX, the dt service must be disabled.

1 rule found Severity: Medium

Logo

If NFS is not required on AIX, the NFS daemon must be disabled.

1 rule found Severity: Medium

Logo

If sendmail is not required on AIX, the sendmail service must be disabled.

1 rule found Severity: Medium

Logo

If SNMP is not required on AIX, the snmpd service must be disabled.

1 rule found Severity: Medium

Logo

The AIX DHCP client must be disabled.

1 rule found Severity: Medium

Logo

If DHCP is not enabled in the network on AIX, the dhcprd daemon must be disabled.

1 rule found Severity: Medium

Logo

If IPv6 is not utilized on AIX server, the autoconf6 daemon must be disabled.

1 rule found Severity: Medium

Logo

If AIX server is not functioning as a network router, the gated daemon must be disabled.

1 rule found Severity: Medium

Logo

If AIX server is not functioning as a multicast router, the mrouted daemon must be disabled.

1 rule found Severity: Medium

Logo

If AIX server is not functioning as a DNS server, the named daemon must be disabled.

1 rule found Severity: Medium

Logo

If AIX server is not functioning as a network router, the routed daemon must be disabled.

1 rule found Severity: Medium

Logo

If rwhod is not required on AIX, the rwhod daemon must be disabled.

1 rule found Severity: Medium

Logo

The timed daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

If AIX server does not host an SNMP agent, the dpid2 daemon must be disabled.

1 rule found Severity: Medium

Logo

If SNMP is not required on AIX, the snmpmibd daemon must be disabled.

1 rule found Severity: Medium

Logo

The aixmibd daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The ndpd-host daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The ndpd-router must be disabled on AIX.

1 rule found Severity: Medium

Logo

The daytime daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The cmsd daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The ttdbserver daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The uucp (UNIX to UNIX Copy Program) daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The time daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The talk daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The ntalk daemon must be disabled on AIX.

1 rule found Severity: High

Logo

The chargen daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The discard daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The dtspc daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The pcnfsd daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The rstatd daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The rusersd daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The sprayd daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The klogin daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The kshell daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The rquotad daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The tftp daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The imap2 service must be disabled on AIX.

1 rule found Severity: Medium

Logo

The pop3 daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The finger daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The instsrv daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The echo daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

The Internet Network News (INN) server must be disabled on AIX.

1 rule found Severity: Medium

Logo

If DHCP server is not required on AIX, the DHCP server must be disabled.

1 rule found Severity: Medium

Logo

The rwalld daemon must be disabled on AIX.

1 rule found Severity: Medium

Logo

JBoss process owner interactive access must be restricted.

1 rule found Severity: High

Logo

Google Analytics must be disabled in EAP Console.

1 rule found Severity: Medium

Logo

JBoss process owner execution permissions must be limited.

1 rule found Severity: High

Logo

JBoss QuickStarts must be removed.

1 rule found Severity: Medium

Logo

Remote access to JMX subsystem must be disabled.

1 rule found Severity: Medium

Logo

Welcome Web Application must be disabled.

1 rule found Severity: Low

Logo

Any unapproved applications must be removed.

1 rule found Severity: Medium

Logo

The Juniper router must be configured to have all nonessential capabilities disabled.

1 rule found Severity: Low

Logo

Kubernetes Controller Manager must disable profiling.

1 rule found Severity: Medium

Logo

User-managed resources must be created in dedicated namespaces.

1 rule found Severity: Medium

Logo

MSR's self-signed certificates must be replaced with DOD trusted, signed certificates.

1 rule found Severity: Medium

Logo

Allowing users and administrators to schedule containers on all nodes must be disabled.

1 rule found Severity: Medium

Logo

MKE telemetry must be disabled.

1 rule found Severity: Medium

Logo

MSR telemetry must be disabled.

1 rule found Severity: Medium

Logo

For MKE's deployed on an Ubuntu host operating system, the AppArmor profile must be enabled.

1 rule found Severity: Medium

Logo

If MKE is deployed on a Red Hat or CentOS system, SELinux security must be enabled.

1 rule found Severity: Medium

Logo

The Docker socket must not be mounted inside any containers.

1 rule found Severity: Medium

Logo

Linux Kernel capabilities must be restricted within containers.

1 rule found Severity: Medium

Logo

Incoming container traffic must be bound to a specific host interface.

1 rule found Severity: Medium

Logo

CPU priority must be set appropriately on all containers.

1 rule found Severity: Medium

Logo

MKE's self-signed certificates must be replaced with DOD trusted, signed certificates.

1 rule found Severity: Medium

Logo

The "Create repository on push" option in MSR must be disabled.

1 rule found Severity: Medium

Logo

Background processing must be disabled.

1 rule found Severity: Medium

Logo

The ability of sites to show pop-ups must be disabled.

1 rule found Severity: Medium

Logo

The default search provider must be set to use an encrypted connection.

1 rule found Severity: Medium

Logo

Data Synchronization must be disabled.

1 rule found Severity: Low

Logo

Network prediction must be disabled.

1 rule found Severity: Medium

Logo

Importing of autofill form data must be disabled.

1 rule found Severity: Medium

Logo

Importing of browser settings must be disabled.

1 rule found Severity: Low

Logo

Importing of cookies must be disabled.

1 rule found Severity: Medium

Logo

Importing of extensions must be disabled.

1 rule found Severity: Medium

Logo

Importing of browsing history must be disabled.

1 rule found Severity: Medium

Logo

Importing of home page settings must be disabled.

1 rule found Severity: Medium

Logo

Importing of open tabs must be disabled.

1 rule found Severity: Medium

Logo

Importing of payment info must be disabled.

1 rule found Severity: Medium

Logo

Importing of search engine settings must be disabled.

1 rule found Severity: Medium

Logo

Importing of shortcuts must be disabled.

1 rule found Severity: Medium

Logo

AutoplayAllowed must be set to disabled.

1 rule found Severity: Medium

Logo

Autofill for Credit Cards must be disabled.

1 rule found Severity: Medium

Logo

Autofill for addresses must be disabled.

1 rule found Severity: Medium

Logo

Personalization of ads, search, and news by sending browsing history to Microsoft must be disabled.

1 rule found Severity: Medium

Logo

Site tracking of a user’s location must be disabled.

1 rule found Severity: Medium

Logo

Edge development tools must be disabled.

1 rule found Severity: Low

Logo

Download restrictions must be configured.

1 rule found Severity: Low

Logo

Extensions installation must be blocklisted by default.

1 rule found Severity: Medium

Logo

Site isolation for every site must be enabled.

1 rule found Severity: Medium

Logo

Microsoft Defender SmartScreen must be enabled.

1 rule found Severity: Medium

Logo

Microsoft Defender SmartScreen must be configured to block potentially unwanted apps.

1 rule found Severity: Medium

Logo

The download location prompt must be configured.

1 rule found Severity: Low

Logo

A website's ability to query for payment methods must be disabled.

1 rule found Severity: Medium

Logo

Suggestions of similar web pages in the event of a navigation error must be disabled.

1 rule found Severity: Medium

Logo

User feedback must be disabled.

1 rule found Severity: Medium

Logo

The collections feature must be disabled.

1 rule found Severity: Medium

Logo

The Share Experience feature must be disabled.

1 rule found Severity: Medium

Logo

Guest mode must be disabled.

1 rule found Severity: Medium

Logo

Relaunch notification must be required.

1 rule found Severity: Medium

Logo

Use of the QUIC protocol must be disabled.

1 rule found Severity: Medium

Logo

The list of domains media autoplay allows must be allowlisted if used.

1 rule found Severity: Low

Logo

Visual Search must be disabled.

1 rule found Severity: Medium

Logo

Copilot must be disabled.

1 rule found Severity: Medium

Logo

FriendlyURLs must be disabled.

1 rule found Severity: Medium

Logo

Azure SQL Database default demonstration and sample databases, database objects, and applications must be removed.

1 rule found Severity: Medium

Logo

The IIS 10.0 web server must not perform user management for hosted applications.

1 rule found Severity: Medium

Logo

The IIS 10.0 web server must only contain functions necessary for operation.

1 rule found Severity: Medium

Logo

The IIS 10.0 web server must not be both a website server and a proxy server.

1 rule found Severity: Medium

Logo

All IIS 10.0 web server sample code, example applications, and tutorials must be removed from a production IIS 10.0 server.

1 rule found Severity: High

Logo

The accounts created by uninstalled features (i.e., tools, utilities, specific, etc.) must be deleted from the IIS 10.0 server.

1 rule found Severity: Medium

Logo

The IIS 10.0 web server must be reviewed on a regular basis to remove any Operating System features, utility programs, plug-ins, and modules not necessary for operation.

1 rule found Severity: Medium

Logo

The IIS 10.0 web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.

1 rule found Severity: Medium

Logo

The IIS 10.0 web server must have Web Distributed Authoring and Versioning (WebDAV) disabled.

1 rule found Severity: Medium

Logo

An IIS Server configured to be a SMTP relay must require authentication.

1 rule found Severity: Medium

Logo

The Request Smuggling filter must be enabled.

1 rule found Severity: Medium

Logo

The IIS 10.0 website must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.

1 rule found Severity: Medium

Logo

Mappings to unused and vulnerable scripts on the IIS 10.0 website must be removed.

1 rule found Severity: Medium

Logo

The IIS 10.0 website must have resource mappings set to disable the serving of certain file types.

1 rule found Severity: Medium

Logo

The IIS 10.0 website must have Web Distributed Authoring and Versioning (WebDAV) disabled.

1 rule found Severity: Medium

Logo

Interactive scripts on the IIS 10.0 web server must be located in unique and designated folders.

1 rule found Severity: Medium

Logo

Interactive scripts on the IIS 10.0 web server must have restrictive access controls.

1 rule found Severity: Medium

Logo

Backup interactive scripts on the IIS 10.0 server must be removed.

1 rule found Severity: Medium

Logo

Internet Information System (IIS) or its subcomponents must not be installed on a workstation.

2 rules found Severity: High

Logo

Simple TCP/IP Services must not be installed on the system.

2 rules found Severity: Medium

Logo

The Windows PowerShell 2.0 feature must be disabled on the system.

2 rules found Severity: Medium

Logo

The Server Message Block (SMB) v1 protocol must be disabled on the system.

2 rules found Severity: Medium

Logo

The Server Message Block (SMB) v1 protocol must be disabled on the SMB server.

3 rules found Severity: Medium

Logo

The Server Message Block (SMB) v1 protocol must be disabled on the SMB client.

3 rules found Severity: Medium

Logo

The Secondary Logon service must be disabled on Windows 11.

1 rule found Severity: Medium

Logo

Bluetooth must be turned off unless approved by the organization.

2 rules found Severity: Medium

Logo

Bluetooth must be turned off when not in use.

2 rules found Severity: Medium

Logo

Camera access from the lock screen must be disabled.

2 rules found Severity: Medium

Logo

Windows 11 must cover or disable the built-in or attached camera when not in use.

1 rule found Severity: Medium

Logo

The display of slide shows on the lock screen must be disabled.

3 rules found Severity: Medium

Logo

WDigest Authentication must be disabled.

2 rules found Severity: Medium

Logo

Run as different user must be removed from context menus.

2 rules found Severity: Medium

Logo

Internet connection sharing must be disabled.

2 rules found Severity: Medium

Logo

Downloading print driver packages over HTTP must be prevented.

3 rules found Severity: Medium

Logo

Web publishing and online ordering wizards must be prevented from downloading a list of providers.

2 rules found Severity: Medium

Logo

Printing over HTTP must be prevented.

3 rules found Severity: Medium

Logo

The network selection user interface (UI) must not be displayed on the logon screen.

3 rules found Severity: Medium

Logo

Local users on domain-joined computers must not be enumerated.

3 rules found Severity: Medium

Logo

The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.

3 rules found Severity: Low

Logo

Microsoft consumer experiences must be turned off.

2 rules found Severity: Low

Logo

The Microsoft Defender SmartScreen for Explorer must be enabled.

1 rule found Severity: Medium

Logo

Windows 11 must be configured to disable Windows Game Recording and Broadcasting.

1 rule found Severity: Medium

Logo

Basic authentication for RSS feeds over HTTP must not be used.

3 rules found Severity: Medium

Logo

Indexing of encrypted files must be turned off.

3 rules found Severity: Medium

Logo

The convenience PIN for Windows 11 must be disabled.

1 rule found Severity: Medium

Logo

Windows 11 must be configured to prevent users from receiving suggestions for third-party or additional applications.

1 rule found Severity: Low

Logo

Toast notifications to the lock screen must be turned off.

2 rules found Severity: Low

Logo

Windows 11 must not have portproxy enabled or in use.

1 rule found Severity: Medium

Logo

The roles and features required by the system must be documented.

1 rule found Severity: Medium

Logo

The Fax Server role must not be installed.

1 rule found Severity: Medium

Logo

The Peer Name Resolution Protocol must not be installed.

1 rule found Severity: Medium

Logo

Simple TCP/IP Services must not be installed.

1 rule found Severity: Medium

Logo

The TFTP Client must not be installed.

1 rule found Severity: Medium

Logo

The Server Message Block (SMB) v1 protocol must be uninstalled.

1 rule found Severity: Medium

Logo

Windows PowerShell 2.0 must not be installed.

1 rule found Severity: Medium

Logo

WDigest Authentication must be disabled on Windows Server 2016.

1 rule found Severity: Medium

Logo

Windows Server 2016 Windows SmartScreen must be enabled.

1 rule found Severity: Medium

Logo

Domain controllers must run on a machine dedicated to that function.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must not have the rsh-server package installed.

1 rule found Severity: High

Logo

The Oracle Linux operating system must not have the ypserv package installed.

1 rule found Severity: High

Logo

The Oracle Linux operating system must not have the telnet-server package installed.

1 rule found Severity: High

Logo

Unused database components, MySQL Database Server 8.0 software, and database objects must be removed.

1 rule found Severity: Medium

Logo

Unused database components which are integrated in the MySQL Database Server 8.0 and cannot be uninstalled must be disabled.

1 rule found Severity: Medium

Logo

Unused database components that are integrated in Redis Enterprise DBMS and cannot be uninstalled must be disabled.

1 rule found Severity: Medium

Logo

All Automation Controller NGINX front-end web servers must not perform user management for hosted applications.

1 rule found Severity: Medium

Logo

All Automation Controller NGINX web servers must not be a proxy server for any process other than the Automation Controller application.

1 rule found Severity: Medium

Logo

All Automation Controller NGINX webserver accounts not utilized by installed features (i.e., tools, utilities, specific services, etc.) must not be created and must be deleted when the web server feature is uninstalled.

1 rule found Severity: Medium

Logo

All Automation Controller NGINX web servers must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.

1 rule found Severity: Medium

Logo

All Automation Controller NGINX web servers must have Web Distributed Authoring (WebDAV) disabled.

1 rule found Severity: Medium

Logo

All Automation Controller NGINX web servers must protect system resources and privileged operations from hosted applications.

1 rule found Severity: Low

Logo

The router must be configured to have all non-essential capabilities disabled.

1 rule found Severity: Low

Logo

The SDN controller must be configured to disable non-essential capabilities.

1 rule found Severity: Medium

Logo

SLEM 5 must not have the telnet-server package installed.

1 rule found Severity: High

Logo

When Splunk Enterprise is distributed over multiple servers, each server must be configured to disable non-essential capabilities.

2 rules found Severity: Medium

Logo

The SMS must be configured to remove or disable nonessential capabilities on SMS and TPS, which are not required for operation or not related to IDPS functionality.

1 rule found Severity: Medium

Logo

TOSS must not have the rsh-server package installed.

1 rule found Severity: Medium

Logo

TOSS must cover or disable the built-in or attached camera when not in use.

1 rule found Severity: Medium

Logo

TOSS must disable IEEE 1394 (FireWire) Support.

1 rule found Severity: Medium

Logo

TOSS must disable mounting of cramfs.

1 rule found Severity: Medium

Logo

TOSS must disable network management of the chrony daemon.

1 rule found Severity: Medium

Logo

TOSS must disable the asynchronous transfer mode (ATM) protocol.

1 rule found Severity: Medium

Logo

TOSS must disable the controller area network (CAN) protocol.

1 rule found Severity: Medium

Logo

TOSS must disable the stream control transmission (SCTP) protocol.

1 rule found Severity: Medium

Logo

TOSS must disable the transparent inter-process communication (TIPC) protocol.

1 rule found Severity: Medium

Logo

TOSS must not have any automated bug reporting tools installed.

1 rule found Severity: Medium

Logo

TOSS must not have the sendmail package installed.

1 rule found Severity: Medium

Logo

TOSS must not have the telnet-server package installed.

1 rule found Severity: Medium

Logo

The web server must not perform user management for hosted applications.

1 rule found Severity: Medium

Logo

The web server must only contain services and functions necessary for operation.

1 rule found Severity: Medium

Logo

The web server must not be a proxy server.

1 rule found Severity: Medium

Logo

The web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials.

1 rule found Severity: Medium

Logo

Web server accounts not utilized by installed features (i.e., tools, utilities, specific services, etc.) must not be created and must be deleted when the web server feature is uninstalled.

1 rule found Severity: Medium

Logo

The web server must provide install options to exclude installation of utility programs, services, plug-ins, and modules not necessary for operation.

1 rule found Severity: Medium

Logo

The web server must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled.

1 rule found Severity: Medium

Logo

The web server must allow the mappings to unused and vulnerable scripts to be removed.

1 rule found Severity: Medium

Logo

The web server must have resource mappings set to disable the serving of certain file types.

1 rule found Severity: Medium

Logo

The web server must have Web Distributed Authoring (WebDAV) disabled.

1 rule found Severity: Medium

Logo

The web server must protect system resources and privileged operations from hosted applications.

1 rule found Severity: Medium

Logo

Users and scripts running on behalf of users must be contained to the document root or home directory tree of the web server.

1 rule found Severity: Medium

Logo

Uninstall iprutils Package

9 rules found Severity: Medium

Logo

Uninstall tuned Package

9 rules found Severity: Medium

Logo

Disable Bluetooth Kernel Module

11 rules found Severity: Medium

Logo

Uninstall nfs-utils Package

12 rules found Severity: Low

Logo

AAA Services must be configured to disable non-essential modules.

1 rule found Severity: Medium

Logo

The Apache web server must not perform user management for hosted applications.

4 rules found Severity: Medium

Logo

The Apache web server must only contain services and functions necessary for operation.

2 rules found Severity: Medium

Logo

The Apache web server must not be a proxy server.

2 rules found Severity: Medium

Logo

The Apache web server must provide install options to exclude the installation of documentation, sample code, example applications, and tutorials.

2 rules found Severity: High

Logo

The Apache web server must have resource mappings set to disable the serving of certain file types.

4 rules found Severity: Medium

Logo

The Apache web server must allow the mappings to unused and vulnerable scripts to be removed.

3 rules found Severity: Medium

Logo

The Apache web server must have Web Distributed Authoring (WebDAV) disabled.

2 rules found Severity: Medium

Logo

Apache web server application directories, libraries, and configuration files must only be accessible to privileged users.

2 rules found Severity: High

Logo

The Apache web server must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.

1 rule found Severity: Medium

Logo

The Apache web server must allow mappings to unused and vulnerable scripts to be removed.

1 rule found Severity: Medium

Logo

Users and scripts running on behalf of users must be contained to the document root or home directory tree of the Apache web server.

2 rules found Severity: Medium

Logo

Apple iOS/iPadOS 18 must implement the management setting: not allow automatic completion of Safari browser passcodes.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 18 must implement the management setting: encrypt backups/Encrypt local backup.

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must implement the management setting: not allow use of Handoff.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 18 must implement the management setting: not allow use of iPhone widgets on Mac.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 18 must implement the management setting: force Apple Watch wrist detection.

1 rule found Severity: Low

Logo

Apple iOS/iPadOS 18 users must complete required training.

1 rule found Severity: Medium

Logo

The macOS system must disable Location Services.

2 rules found Severity: Medium

Logo

The macOS system must disable Bonjour multicast.

2 rules found Severity: Medium

Logo

The macOS system must disable Internet Sharing.

2 rules found Severity: Medium

Logo

The macOS system must disable AirDrop.

2 rules found Severity: Medium

Logo

The macOS system must disable FaceTime.app.

2 rules found Severity: Medium

Logo

The macOS system must disable the iCloud Calendar services.

2 rules found Severity: Medium

Logo

The macOS system must disable iCloud Reminders.

2 rules found Severity: Medium

Logo

The macOS system must disable iCloud Address Book.

2 rules found Severity: Medium

Logo

The macOS system must disable iCloud Mail.

2 rules found Severity: Medium

Logo

The macOS system must disable iCloud Notes.

2 rules found Severity: Medium

Logo

The macOS system must disable the camera.

2 rules found Severity: Medium

Logo

The macOS system must disable Siri.

2 rules found Severity: Medium

Logo

The macOS system must disable Apple ID setup during Setup Assistant.

2 rules found Severity: Medium

Logo

The macOS system must disable Privacy Setup services during Setup Assistant.

2 rules found Severity: Medium

Logo

The macOS system must disable iCloud Storage Setup during Setup Assistant.

1 rule found Severity: Medium

Logo

The macOS system must disable Siri Setup during Setup Assistant.

2 rules found Severity: Medium

Logo

The macOS system must disable iCloud Bookmarks.

2 rules found Severity: Medium

Logo

The macOS system must disable iCloud Photo Library.

2 rules found Severity: Medium

Logo

The macOS system must disable the TouchID System Settings pane.

1 rule found Severity: Medium

Logo

The macOS system must disable the System Settings pane for Wallet and Apple Pay.

2 rules found Severity: Medium

Logo

The macOS system must disable the system settings pane for Siri.

2 rules found Severity: Medium

Logo

The macOS system must disable Airplay Receiver.

2 rules found Severity: Medium

Logo

The macOS system must disable Bluetooth sharing.

1 rule found Severity: Medium

Logo

The macOS system must disable AppleID and Internet Account modifications.

1 rule found Severity: Medium

Logo

The macOS system must disable CD/DVD Sharing.

2 rules found Severity: Medium

Logo

The macOS system must disable content caching service.

1 rule found Severity: Medium

Logo

The macOS system must disable iCloud desktop and document folder synchronization.

1 rule found Severity: Medium

Logo

The macOS system must disable iCloud Game Center.

2 rules found Severity: Medium

Logo

The macOS system must disable iCloud Private Relay.

2 rules found Severity: Medium

Logo

The macOS system must disable Find My service.

2 rules found Severity: Medium

Logo

The macOS system must disable password autofill.

1 rule found Severity: Medium

Logo

The macOS system must disable personalized advertising.

1 rule found Severity: Medium

Logo

The macOS system must disable sending Siri and Dictation information to Apple.

2 rules found Severity: Medium

Logo

The macOS system must enforce on device dictation.

1 rule found Severity: Medium

Logo

The macOS system must disable dictation.

1 rule found Severity: Medium

Logo

The macOS system must disable Printer Sharing.

2 rules found Severity: Medium

Logo

The macOS system must disable Remote Management.

2 rules found Severity: Medium

Logo

The macOS system must disable the Bluetooth system settings pane.

1 rule found Severity: Medium

Logo

The macOS system must disable the iCloud Freeform services.

2 rules found Severity: Medium

Logo

The macOS system must disable iCloud storage setup during Setup Assistant.

1 rule found Severity: Medium

Logo

The macOS system must disable iCloud Keychain Sync.

1 rule found Severity: Medium

Logo

The macOS system must disable iCloud Document Sync.

1 rule found Severity: Medium

Logo

The macOS system must disable Bluetooth Sharing.

1 rule found Severity: Medium

Logo

The macOS system must disable AppleID and internet Account Modification.

1 rule found Severity: Medium

Logo

The macOS system must disable Content Caching service.

1 rule found Severity: Medium

Logo

The macOS system must disable iCloud Desktop and Document folder sync.

1 rule found Severity: Medium

Logo

The macOS system must disable Personalized Advertising.

1 rule found Severity: Medium

Logo

The macOS system must enforce On Device Dictation.

1 rule found Severity: Medium

Logo

The macOS system must disable Dictation.

1 rule found Severity: Medium

Logo

The macOS system must disable the Bluetooth System Settings pane.

1 rule found Severity: Medium

Logo

The macOS system must disable TouchID prompt during Setup Assistant.

1 rule found Severity: Medium

Logo

The macOS system must disable Screen Time prompt during Setup Assistant.

1 rule found Severity: Medium

Logo

The macOS system must disable Unlock with Apple Watch during Setup Assistant.

2 rules found Severity: Medium

Logo

The macOS system must disable Handoff.

2 rules found Severity: Medium

Logo

The macOS system must disable proximity-based password sharing requests.

2 rules found Severity: Medium

Logo

The macOS system must disable Erase Content and Settings.

2 rules found Severity: Medium

Logo

The ALG must not have unnecessary services and functions enabled.

1 rule found Severity: Medium

Logo

The ALG must be configured to remove or disable unrelated or unneeded application proxy services.

1 rule found Severity: Medium

Logo

The macOS system must disable the TouchID prompt during Setup Assistant.

1 rule found Severity: Medium

Logo

The macOS system must disable the Screen Time prompt during Setup Assistant.

1 rule found Severity: Medium

Logo

The macOS system must disable Genmoji.

1 rule found Severity: Medium

Logo

The macOS system must disable Apple Intelligence Image Generation.

1 rule found Severity: Medium

Logo

The macOS system must disable Apple Intelligence Writing Tools.

1 rule found Severity: Medium

Logo

The macOS system must disable sending audio recordings and transcripts to Apple.

1 rule found Severity: Medium

Logo

The macOS system must disable sending search data from Spotlight to Apple.

1 rule found Severity: Medium

Logo

The application server must adhere to the principles of least functionality by providing only essential capabilities.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must not have the "rsh-server" package installed.

1 rule found Severity: High

Logo

The Central Log Server must be configured to disable non-essential capabilities.

1 rule found Severity: Medium

Logo

The container platform must be configured with only essential configurations.

1 rule found Severity: Medium

Logo

The container platform registry must contain only container images for those capabilities being offered by the container platform.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must disable remote management of the chrony daemon.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must prevent the chrony daemon from acting as a server.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the iprutils package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the quagga package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the sendmail package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the telnet-server package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have a Trivial File Transfer Protocol (TFTP) client package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the cups package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the gssproxy package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must disable the Asynchronous Transfer Mode (ATM) kernel module.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must be configured to disable Bluetooth.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must disable the Controller Area Network (CAN) kernel module.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must disable mounting of cramfs.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must disable mounting of squashfs.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must disable mounting of udf.

1 rule found Severity: Medium

Logo

Cameras must be disabled or covered when not in use.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the nfs-utils package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the rsh package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the rsh-server package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the tuned package installed.

1 rule found Severity: Medium

Logo

A graphical display manager must not be installed on AlmaLinux OS 9 unless approved.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the ypserv package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must not have the avahi package installed.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must be configured to disable USB mass storage.

1 rule found Severity: Medium

Logo

The firewall must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.

1 rule found Severity: Medium

Logo

Google Android 13 must be configured to disable developer modes.

2 rules found Severity: Medium

Logo

Google Android 14 must be configured to disable developer modes.

2 rules found Severity: Medium

Logo

Google Android 14 must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).

2 rules found Severity: Low

Logo

Google Android 15 must be configured to disable developer modes.

2 rules found Severity: Medium

Logo

Google Android 15 must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).

2 rules found Severity: Low

Logo

The operating system must be configured to disable non-essential capabilities.

1 rule found Severity: Medium

Logo

AOS must be configured to disable nonessential capabilities.

1 rule found Severity: Medium

Logo

The IDPS must be configured to remove or disable non-essential capabilities which are not required for operation or not related to IDPS functionality (e.g., DNS, email client or server, FTP server, or web server).

1 rule found Severity: Medium

Logo

The IDPS must be configured to remove or disable non-essential features, functions, and services of the IDPS application.

1 rule found Severity: Medium

Logo

IBM z/OS Inapplicable PPT entries must be invalidated.

1 rule found Severity: Medium

Logo

IBM z/OS must not have inaccessible APF libraries defined.

2 rules found Severity: Medium

Logo

IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s).

3 rules found Severity: Medium

Logo

Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries.

2 rules found Severity: Medium

Logo

IBM zOS inapplicable PPT entries must be invalidated.

1 rule found Severity: Medium

Logo

IBM z/OS must not have duplicated sensitive utilities and/or programs existing in APF libraries.

1 rule found Severity: Low

Logo

The Juniper router must be configured to have all non-essential capabilities disabled.

1 rule found Severity: Low

Logo

The Juniper SRX Services Gateway Firewall must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway Firewall must not be configured as an NTP server since providing this network service is unrelated to the role as a firewall.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway Firewall must not be configured as a DNS proxy since providing this network service is unrelated to the role as a Firewall.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway Firewall must not be configured as a DHCP server since providing this network service is unrelated to the role as a Firewall.

1 rule found Severity: Medium

Logo

IBM z/OS must not have Inaccessible APF libraries defined.

1 rule found Severity: Medium

Logo

IBM z/OS inapplicable PPT entries must be invalidated.

1 rule found Severity: Medium

Logo

The Mainframe Product must be configured to disable non-essential capabilities.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway must disable or remove unnecessary network services and functions that are not used as part of its role in the architecture.

1 rule found Severity: Medium

Logo

Exchange must not send customer experience reports to Microsoft.

2 rules found Severity: Medium

Logo

The Exchange Internet Message Access Protocol 4 (IMAP4) service must be disabled.

2 rules found Severity: Medium

Logo

The Exchange Post Office Protocol 3 (POP3) service must be disabled.

2 rules found Severity: Medium

Logo

Office Presentation Service must be removed as an option for presenting PowerPoint and Word online.

1 rule found Severity: Medium

Logo

VBA Macros not digitally signed must be blocked in Access.

1 rule found Severity: Medium

Logo

The Office client must be prevented from polling the SharePoint Server for published links.

1 rule found Severity: Medium

Logo

VBA Macros not digitally signed must be blocked in Excel.

1 rule found Severity: Medium

Logo

VBA Macros not digitally signed must be blocked in Project.

1 rule found Severity: Medium

Logo

VBA Macros not digitally signed must be blocked in PowerPoint.

1 rule found Severity: Medium

Logo

Access to CLR code must be disabled or restricted, unless specifically required and approved.

1 rule found Severity: Medium

Logo

Access to Non-Standard extended stored procedures must be disabled or restricted, unless specifically required and approved.

1 rule found Severity: Medium

Logo

Access to linked servers must be disabled or restricted, unless specifically required and approved.

1 rule found Severity: Medium

Logo

VBA Macros not digitally signed must be blocked in Visio.

1 rule found Severity: Medium

Logo

VBA Macros not digitally signed must be blocked in Word.

1 rule found Severity: Medium

Logo

Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.

1 rule found Severity: Medium

Logo

The Secondary Logon service must be disabled on Windows 10.

1 rule found Severity: Medium

Logo

SQL Server default account [sa] must have its name changed.

1 rule found Severity: Medium

Logo

SQL Server execute permissions to access the registry must be revoked, unless specifically required and approved.

1 rule found Severity: Medium

Logo

Filestream must be disabled, unless specifically required and approved.

1 rule found Severity: Medium

Logo

Ole Automation Procedures feature must be disabled, unless specifically required and approved.

1 rule found Severity: Medium

Logo

SQL Server User Options feature must be disabled, unless specifically required and approved.

1 rule found Severity: Medium

Logo

Remote Access feature must be disabled, unless specifically required and approved.

1 rule found Severity: Medium

Logo

Hadoop Connectivity feature must be disabled, unless specifically required and approved.

1 rule found Severity: Medium

Logo

Allow Polybase Export feature must be disabled, unless specifically required and approved.

1 rule found Severity: Medium

Logo

Remote Data Archive feature must be disabled, unless specifically required and approved.

1 rule found Severity: Medium

Logo

SQL Server External Scripts Enabled feature must be disabled, unless specifically required and approved.

1 rule found Severity: Medium

Logo

SQL Server Replication Xps feature must be disabled, unless specifically required and approved.

1 rule found Severity: Medium

Logo

Windows 10 must cover or disable the built-in or attached camera when not in use.

1 rule found Severity: Medium

Logo

The Windows Defender SmartScreen for Explorer must be enabled.

1 rule found Severity: Medium

Logo

Windows Server 2019 must have the roles and features required by the system documented.

1 rule found Severity: Medium

Logo

Windows Server 2019 must not have the Fax Server role installed.

1 rule found Severity: Medium

Logo

Windows Server 2019 must not have the Peer Name Resolution Protocol installed.

1 rule found Severity: Medium

Logo

Windows Server 2019 must not have Simple TCP/IP Services installed.

1 rule found Severity: Medium

Logo

Windows Server 2019 must not have the TFTP Client installed.

1 rule found Severity: Medium

Logo

Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed.

1 rule found Severity: Medium

Logo

Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.

1 rule found Severity: Medium

Logo

Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.

1 rule found Severity: Medium

Logo

Windows Server 2019 must not have Windows PowerShell 2.0 installed.

1 rule found Severity: Medium

Logo

Windows Server 2019 must prevent the display of slide shows on the lock screen.

1 rule found Severity: Medium

Logo

Windows Server 2019 must have WDigest Authentication disabled.

1 rule found Severity: Medium

Logo

Windows Server 2019 downloading print driver packages over HTTP must be turned off.

1 rule found Severity: Medium

Logo

Windows Server 2019 printing over HTTP must be turned off.

1 rule found Severity: Medium

Logo

Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen.

1 rule found Severity: Medium

Logo

Windows Server 2019 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.

1 rule found Severity: Low

Logo

Windows Server 2019 Windows Defender SmartScreen must be enabled.

1 rule found Severity: Medium

Logo

Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP.

1 rule found Severity: Medium

Logo

Windows Server 2019 must prevent Indexing of encrypted files.

1 rule found Severity: Medium

Logo

Windows Server 2019 domain controllers must run on a machine dedicated to that function.

1 rule found Severity: Medium

Logo

Windows Server 2019 local users on domain-joined member servers must not be enumerated.

1 rule found Severity: Medium

Logo

Windows 10 must be configured to disable Windows Game Recording and Broadcasting.

1 rule found Severity: Medium

Logo

The convenience PIN for Windows 10 must be disabled.

1 rule found Severity: Medium

Logo

Windows Ink Workspace must be configured to disallow access above the lock.

1 rule found Severity: Medium

Logo

Windows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications.

1 rule found Severity: Low

Logo

Windows 10 must not have portproxy enabled or in use.

1 rule found Severity: Medium

Logo

Windows Server 2022 must have the roles and features required by the system documented.

1 rule found Severity: Medium

Logo

Windows Server 2022 must not have the Fax Server role installed.

1 rule found Severity: Medium

Logo

Windows Server 2022 must not have the Peer Name Resolution Protocol installed.

1 rule found Severity: Medium

Logo

Windows Server 2022 must not have Simple TCP/IP Services installed.

1 rule found Severity: Medium

Logo

Windows Server 2022 must not have the TFTP Client installed.

1 rule found Severity: Medium

Logo

Windows Server 2022 must not the Server Message Block (SMB) v1 protocol installed.

1 rule found Severity: Medium

Logo

Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server.

1 rule found Severity: Medium

Logo

Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB client.

1 rule found Severity: Medium

Logo

Windows Server 2022 must not have Windows PowerShell 2.0 installed.

1 rule found Severity: Medium

Logo

Windows Server 2022 must prevent the display of slide shows on the lock screen.

1 rule found Severity: Medium

Logo

Windows Server 2022 must have WDigest Authentication disabled.

1 rule found Severity: Medium

Logo

Windows Server 2022 downloading print driver packages over HTTP must be turned off.

1 rule found Severity: Medium

Logo

Windows Server 2022 printing over HTTP must be turned off.

1 rule found Severity: Medium

Logo

Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen.

1 rule found Severity: Medium

Logo

Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.

1 rule found Severity: Low

Logo

Windows Server 2022 Microsoft Defender antivirus SmartScreen must be enabled.

1 rule found Severity: Medium

Logo

Windows Server 2022 must disable Basic authentication for RSS feeds over HTTP.

1 rule found Severity: Medium

Logo

Windows Server 2022 must prevent Indexing of encrypted files.

1 rule found Severity: Medium

Logo

Windows Server 2022 domain controllers must run on a machine dedicated to that function.

1 rule found Severity: Medium

Logo

Windows Server 2022 local users on domain-joined member servers must not be enumerated.

1 rule found Severity: Medium

Logo

Use of external executables must be authorized.

1 rule found Severity: Medium

Logo

Prisma Cloud Compute Cloud Native Network Firewall (CNNF) automatically monitors layer 4 (TCP) intercontainer communications. Enforcement policies must be created.

1 rule found Severity: High

Logo

Prisma Cloud Compute host compliance baseline policies must be set.

1 rule found Severity: High

Logo

Images stored within the container registry must contain only images to be run as containers within the container platform.

1 rule found Severity: Medium

Logo

Prisma Cloud Compute must be configured to scan images that have not been instantiated as containers.

1 rule found Severity: High

Logo

The Palo Alto Networks security platform must only enable User-ID on trusted zones.

1 rule found Severity: Medium

Logo

The Palo Alto Networks security platform must disable WMI probing if it is not used.

1 rule found Severity: Medium

Logo

The Palo Alto Networks security platform must not enable the DNS proxy.

1 rule found Severity: Medium

Logo

Rancher RKE2 must be configured with only essential configurations.

1 rule found Severity: Medium

Logo

OpenShift must contain only container images for those capabilities being offered by the container platform.

1 rule found Severity: Medium

Logo

Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.

1 rule found Severity: High

Logo

Red Hat Enterprise Linux CoreOS (RHCOS) must disable USB Storage kernel module.

1 rule found Severity: Medium

Logo

Red Hat Enterprise Linux CoreOS (RHCOS) must use USBGuard for hosts that include a USB Controller.

1 rule found Severity: Medium

Logo

OL 8 must disable the chrony daemon from acting as a server.

1 rule found Severity: Low

Logo

OL 8 must disable network management of the chrony daemon.

1 rule found Severity: Low

Logo

OL 8 must not have the telnet-server package installed.

1 rule found Severity: High

Logo

OL 8 must not have any automated bug reporting tools installed.

1 rule found Severity: Medium

Logo

OL 8 must not have the sendmail package installed.

1 rule found Severity: Medium

Logo

OL 8 must enable mitigations against processor-based vulnerabilities.

1 rule found Severity: Low

Logo

OL 8 must not have the rsh-server package installed.

1 rule found Severity: High

Logo

OL 8 must cover or disable the built-in or attached camera when not in use.

1 rule found Severity: Medium

Logo

OL 8 must disable the transparent inter-process communication (TIPC) protocol.

1 rule found Severity: Low

Logo

OL 8 must disable mounting of cramfs.

1 rule found Severity: Low

Logo

OL 8 must disable IEEE 1394 (FireWire) Support.

1 rule found Severity: Low

Logo

RHEL 9 must enable mitigations against processor-based vulnerabilities.

1 rule found Severity: Low

Logo

RHEL 9 must be configured to disable the Asynchronous Transfer Mode kernel module.

1 rule found Severity: Medium

Logo

RHEL 9 must be configured to disable the Controller Area Network kernel module.

1 rule found Severity: Medium

Logo

RHEL 9 must be configured to disable the FireWire kernel module.

1 rule found Severity: Medium

Logo

RHEL 9 must disable the Stream Control Transmission Protocol (SCTP) kernel module.

1 rule found Severity: Medium

Logo

RHEL 9 must disable the Transparent Inter Process Communication (TIPC) kernel module.

1 rule found Severity: Medium

Logo

RHEL 9 must not have a File Transfer Protocol (FTP) server package installed.

1 rule found Severity: High

Logo

RHEL 9 must not have the sendmail package installed.

1 rule found Severity: Medium

Logo

RHEL 9 must not have the nfs-utils package installed.

1 rule found Severity: Medium

Logo

RHEL 9 must not have the ypserv package installed.

1 rule found Severity: Medium

Logo

RHEL 9 must not have the rsh-server package installed.

1 rule found Severity: Medium

Logo

RHEL 9 must not have the telnet-server package installed.

1 rule found Severity: Medium

Logo

RHEL 9 must not have the gssproxy package installed.

1 rule found Severity: Medium

Logo

RHEL 9 must not have the iprutils package installed.

1 rule found Severity: Medium

Logo

RHEL 9 must not have the tuned package installed.

1 rule found Severity: Medium

Logo

RHEL 9 must disable mounting of cramfs.

1 rule found Severity: Low

Logo

RHEL 8 must disable the chrony daemon from acting as a server.

1 rule found Severity: Low

Logo

RHEL 8 must disable network management of the chrony daemon.

1 rule found Severity: Low

Logo

RHEL 8 must not have the telnet-server package installed.

1 rule found Severity: High

Logo

RHEL 8 must not have any automated bug reporting tools installed.

1 rule found Severity: Medium

Logo

RHEL 8 must not have the sendmail package installed.

1 rule found Severity: Medium

Logo

RHEL 8 must enable mitigations against processor-based vulnerabilities.

1 rule found Severity: Low

Logo

RHEL 8 must not have the rsh-server package installed.

1 rule found Severity: High

Logo

RHEL 8 must cover or disable the built-in or attached camera when not in use.

1 rule found Severity: Medium

Logo

RHEL 8 must disable the asynchronous transfer mode (ATM) protocol.

1 rule found Severity: Low

Logo

RHEL 8 must disable the controller area network (CAN) protocol.

1 rule found Severity: Low

Logo

RHEL 8 must disable the stream control transmission protocol (SCTP).

1 rule found Severity: Low

Logo

RHEL 8 must disable the transparent inter-process communication (TIPC) protocol.

1 rule found Severity: Low

Logo

RHEL 8 must disable mounting of cramfs.

1 rule found Severity: Low

Logo

RHEL 8 must disable IEEE 1394 (FireWire) Support.

1 rule found Severity: Low

Logo

RHEL 9 must disable the chrony daemon from acting as a server.

1 rule found Severity: Low

Logo

RHEL 9 must disable network management of the chrony daemon.

1 rule found Severity: Low

Logo

The gssproxy package must not be installed unless mission essential on RHEL 8.

1 rule found Severity: Medium

Logo

RHEL 9 Bluetooth must be disabled.

1 rule found Severity: Medium

Logo

The SUSE operating system must not have the vsftpd package installed if not required for operational support.

1 rule found Severity: High

Logo

The SUSE operating system must not have the telnet-server package installed.

1 rule found Severity: High

Logo

The SUSE operating system must not have the telnet-server package installed.

1 rule found Severity: Medium

Logo

The SUSE operating system must not have the vsftpd package installed if not required for operational support.

1 rule found Severity: Medium

Logo

The operating system must be configured to provide essential capabilities.

2 rules found Severity: Medium

Logo

Samsung Android must be configured to disable all Bluetooth profiles except for HSP (Headset Profile), HFP (Hands-Free Profile), SPP (Serial Port Profile), A2DP (Advanced Audio Distribution Profile), AVRCP (Audio/Video Remote Control Profile), and PBAP (Phone Book Access Profile).

4 rules found Severity: Low

Logo

The UEM server must be configured to disable non-essential capabilities.

1 rule found Severity: Medium

Logo

The VMM must be configured to disable non-essential capabilities.

1 rule found Severity: Medium

Logo

The ESXi host must disable the Managed Object Browser (MOB).

1 rule found Severity: Medium

Logo

The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).

3 rules found Severity: Medium

Logo

The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting.

1 rule found Severity: Medium

Logo

The NSX Tier-0 Gateway router must be configured to have the Dynamic Host Configuration Protocol (DHCP) service disabled if not in use.

1 rule found Severity: Low

Logo

The NSX Tier-0 Gateway router must be configured to have routing protocols disabled if not in use.

1 rule found Severity: Low

Logo

The NSX Tier-0 Gateway router must be configured to have multicast disabled if not in use.

1 rule found Severity: Low

Logo

The NSX Tier-1 Gateway router must be configured to have the DHCP service disabled if not in use.

1 rule found Severity: Low

Logo

The NSX Tier-1 Gateway router must be configured to have multicast disabled if not in use.

1 rule found Severity: Low

Logo

ESX Agent Manager must only run one webapp.

1 rule found Severity: Medium

Logo

ESX Agent Manager must not be configured with unsupported realms.

1 rule found Severity: Medium

Logo

ESX Agent Manager must be configured to limit access to internal packages.

1 rule found Severity: Medium

Logo

ESX Agent Manager must have Multipurpose Internet Mail Extensions (MIMEs) that invoke operating system shell programs disabled.

1 rule found Severity: Medium

Logo

ESX Agent Manager must have mappings set for Java servlet pages.

1 rule found Severity: Medium

Logo

ESX Agent Manager must not have the Web Distributed Authoring (WebDAV) servlet installed.

1 rule found Severity: Medium

Logo

ESX Agent Manager must be configured with memory leak protection.

1 rule found Severity: Medium

Logo

ESX Agent Manager must not have any symbolic links in the web content directory tree.

1 rule found Severity: Medium

Logo

VAMI must only load allowed server modules.

1 rule found Severity: Medium

Logo

VAMI must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.

1 rule found Severity: Medium

Logo

VAMI must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type".

1 rule found Severity: Medium

Logo

VAMI must remove all mappings to unused scripts.

1 rule found Severity: Medium

Logo

VAMI must have resource mappings set to disable the serving of certain file types.

1 rule found Severity: Medium

Logo

VAMI must not have the Web Distributed Authoring (WebDAV) servlet installed.

1 rule found Severity: Medium

Logo

VAMI must prevent hosted applications from exhausting system resources.

1 rule found Severity: Medium

Logo

Lookup Service must not be configured with the "UserDatabaseRealm" enabled.

1 rule found Severity: Medium

Logo

Lookup Service must be configured to limit access to internal packages.

1 rule found Severity: Medium

Logo

Lookup Service must have Multipurpose Internet Mail Extensions (MIMEs) that invoke operating system shell programs disabled.

1 rule found Severity: Medium

Logo

Lookup Service must have mappings set for Java servlet pages.

1 rule found Severity: Medium

Logo

Lookup Service must not have the Web Distributed Authoring (WebDAV) servlet installed.

1 rule found Severity: Medium

Logo

Lookup Service must be configured with memory leak protection.

1 rule found Severity: Medium

Logo

Lookup Service must not have any symbolic links in the web content directory tree.

1 rule found Severity: Medium

Logo

The ESXi host must be configured to disable nonessential capabilities by disabling the Managed Object Browser (MOB).

2 rules found Severity: Medium

Logo

The ESXi host must be configured to disable nonessential capabilities by disabling the ESXi shell.

2 rules found Severity: Medium

Logo

Performance Charts must not be configured with unsupported realms.

1 rule found Severity: Medium

Logo

Performance Charts must be configured to limit access to internal packages.

1 rule found Severity: Medium

Logo

Performance Charts must have Multipurpose Internet Mail Extensions (MIMEs) that invoke operating system shell programs disabled.

1 rule found Severity: Medium

Logo

Performance Charts must have mappings set for Java servlet pages.

1 rule found Severity: Medium

Logo

Performance Charts must not have the Web Distributed Authoring (WebDAV) servlet installed.

1 rule found Severity: Medium

Logo

Performance Charts must be configured with memory leak protection.

1 rule found Severity: Medium

Logo

Performance Charts must not have any symbolic links in the web content directory tree.

1 rule found Severity: Medium

Logo

vCenter Server plugins must be verified.

3 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service must disable stack tracing.

2 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service shutdown port must be disabled.

2 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service debug parameter must be disabled.

2 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service directory listings parameter must be disabled.

2 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service deployXML attribute must be disabled.

2 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service must have Autodeploy disabled.

2 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service xpoweredBy attribute must be disabled.

2 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service example applications must be removed.

2 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service default ROOT web application must be removed.

2 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service default documentation must be removed.

2 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service manager webapp must be removed.

2 rules found Severity: Medium

Logo

The vCenter ESX Agent Manager service host-manager webapp must be removed.

2 rules found Severity: Medium

Logo

The Security Token Service must only run one webapp.

1 rule found Severity: Medium

Logo

The Security Token Service must not be configured with unused realms.

1 rule found Severity: Medium

Logo

The Security Token Service must be configured to limit access to internal packages.

1 rule found Severity: Medium

Logo

The Security Token Service must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.

1 rule found Severity: Medium

Logo

The Security Token Service must have mappings set for Java servlet pages.

1 rule found Severity: Medium

Logo

The Security Token Service must not have the Web Distributed Authoring (WebDAV) servlet installed.

1 rule found Severity: Medium

Logo

The Security Token Service must be configured with memory leak protection.

1 rule found Severity: Medium

Logo

The Security Token Service must not have any symbolic links in the web content directory tree.

1 rule found Severity: Medium

Logo

The vCenter Lookup service must disable stack tracing.

2 rules found Severity: Medium

Logo

The vCenter Lookup service shutdown port must be disabled.

2 rules found Severity: Medium

Logo

The vCenter Lookup service debug parameter must be disabled.

2 rules found Severity: Medium

Logo

The vCenter Lookup service directory listings parameter must be disabled.

2 rules found Severity: Medium

Logo

The vCenter Lookup service deployXML attribute must be disabled.

2 rules found Severity: Medium

Logo

The vCenter Lookup service must have Autodeploy disabled.

2 rules found Severity: Medium

Logo

The vCenter Lookup service xpoweredBy attribute must be disabled.

2 rules found Severity: Medium

Logo

The vCenter Lookup service example applications must be removed.

2 rules found Severity: Medium

Logo

The vCenter Lookup service default ROOT web application must be removed.

2 rules found Severity: Medium

Logo

The vCenter Lookup service default documentation must be removed.

2 rules found Severity: Medium

Logo

The vCenter Lookup service manager webapp must be removed.

2 rules found Severity: Medium

Logo

The vCenter Lookup service host-manager webapp must be removed.

2 rules found Severity: Medium

Logo

vSphere UI must not be configured with the "UserDatabaseRealm" enabled.

1 rule found Severity: Medium

Logo

vSphere UI must be configured to limit access to internal packages.

1 rule found Severity: Medium

Logo

vSphere UI must have Multipurpose Internet Mail Extensions (MIME) that invoke operating system shell programs disabled.

1 rule found Severity: Medium

Logo

vSphere UI must have mappings set for Java servlet pages.

1 rule found Severity: Medium

Logo

vSphere UI must not have the Web Distributed Authoring (WebDAV) servlet installed.

1 rule found Severity: Medium

Logo

vSphere UI must be configured with memory leak protection.

1 rule found Severity: Medium

Logo

vSphere UI must not have any symbolic links in the web content directory tree.

1 rule found Severity: Medium

Logo

The vCenter Perfcharts service must disable stack tracing.

2 rules found Severity: Medium

Logo

The vCenter Perfcharts service shutdown port must be disabled.

2 rules found Severity: Medium

Logo

The vCenter Perfcharts service debug parameter must be disabled.

2 rules found Severity: Medium

Logo

The vCenter Perfcharts service directory listings parameter must be disabled.

2 rules found Severity: Medium

Logo

The vCenter Perfcharts service deployXML attribute must be disabled.

2 rules found Severity: Medium

Logo

The vCenter Perfcharts service must have Autodeploy disabled.

2 rules found Severity: Medium

Logo

The vCenter Perfcharts service xpoweredBy attribute must be disabled.

2 rules found Severity: Medium

Logo

The vCenter Perfcharts service example applications must be removed.

2 rules found Severity: Medium

Logo

The vCenter Perfcharts service default documentation must be removed.

2 rules found Severity: Medium

Logo

The vCenter Perfcharts service manager webapp must be removed.

2 rules found Severity: Medium

Logo

The vCenter Perfcharts service host-manager webapp must be removed.

2 rules found Severity: Medium

Logo

The Photon operating system must disable unnecessary kernel modules.

2 rules found Severity: Medium

Logo

The vCenter PostgreSQL service must not load unused database components, software, and database objects.

2 rules found Severity: Medium

Logo

The vCenter STS service must disable stack tracing.

2 rules found Severity: Medium

Logo

Zebra Android 13 must be configured to disable developer modes.

2 rules found Severity: Medium

Logo

Zebra Android 13 must be configured to disable Bluetooth or configured via User Based Enforcement (UBE) to allow Bluetooth for only Headset Profile (HSP), Hands-Free Profile (HFP), and Serial Port Profile (SPP).

2 rules found Severity: Low

Logo

The vCenter STS service shutdown port must be disabled.

2 rules found Severity: Medium

Logo

The vCenter STS service debug parameter must be disabled.

2 rules found Severity: Medium

Logo

The vCenter STS service directory listings parameter must be disabled.

2 rules found Severity: Medium

Logo

The vCenter STS service must have Autodeploy disabled.

2 rules found Severity: Medium

Logo

The vCenter STS service xpoweredBy attribute must be disabled.

2 rules found Severity: Medium

Logo

The vCenter STS service example applications must be removed.

2 rules found Severity: Medium

Logo

The vCenter STS service default ROOT web application must be removed.

2 rules found Severity: Medium

Logo

The vCenter STS service default documentation must be removed.

2 rules found Severity: Medium

Logo

The vCenter STS service manager webapp must be removed.

2 rules found Severity: Medium

Logo

The vCenter STS service host-manager webapp must be removed.

2 rules found Severity: Medium

Logo

The vCenter UI service must disable stack tracing.

2 rules found Severity: Medium

Logo

The vCenter UI service shutdown port must be disabled.

2 rules found Severity: Medium

Logo

The vCenter UI service debug parameter must be disabled.

2 rules found Severity: Medium

Logo

The vCenter UI service directory listings parameter must be disabled.

2 rules found Severity: Medium

Logo

The vCenter UI service deployXML attribute must be disabled.

2 rules found Severity: Medium

Logo

The vCenter UI service must have Autodeploy disabled.

2 rules found Severity: Medium

Logo

The vCenter UI service xpoweredBy attribute must be disabled.

2 rules found Severity: Medium

Logo

The vCenter UI service example applications must be removed.

2 rules found Severity: Medium

Logo

The vCenter UI service default ROOT web application must be removed.

2 rules found Severity: Medium

Logo

The vCenter UI service default documentation must be removed.

2 rules found Severity: Medium

Logo

The vCenter UI service manager webapp must be removed.

2 rules found Severity: Medium

Logo

The vCenter UI service host-manager webapp must be removed.

2 rules found Severity: Medium

Logo

The vCenter VAMI service must explicitly disable Multipurpose Internet Mail Extensions (MIME) mime mappings based on "Content-Type".

2 rules found Severity: Medium

Logo

The vCenter VAMI service must have resource mappings set to disable the serving of certain file types.

2 rules found Severity: Medium

Logo

The vCenter VAMI service must have Web Distributed Authoring (WebDAV) disabled.

2 rules found Severity: Medium

Logo

The vCenter VAMI service must protect system resources and privileged operations from hosted applications.

2 rules found Severity: Medium

Logo

BMC CONTROL-D configuration/parameter values are not specified properly.

3 rules found Severity: Medium

Logo

BMC CONTROL-M configuration/parameter values must be specified properly.

3 rules found Severity: Medium

Logo

CA 1 Tape Management system password will be changed from the default.

3 rules found Severity: Medium

Logo

CA 1 Tape Management external security options must be specified properly.

3 rules found Severity: Medium

Logo

CL/SuperSession profile options are set improperly.

3 rules found Severity: Medium

Logo

CL/SuperSession must be properly configured to generate SMF records for audit trail and accounting reports.

3 rules found Severity: Medium

Logo

CL/SuperSession KLVINNAM member must be configured in accordance with security requirements.

3 rules found Severity: Medium

Logo

CL/SuperSession APPCLASS member is not configured in accordance with the proper security requirements.

3 rules found Severity: Medium

Logo

FDR (Fast Dump Restore) security options are improperly specified.

3 rules found Severity: High

Logo

The vCenter STS service deployXML attribute must be disabled.

1 rule found Severity: Medium

Logo

CICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.

3 rules found Severity: Medium

Logo

Transparent Data Migration Facility (TDMF) configuration/parameter/option values are not specified properly.

3 rules found Severity: Medium

Logo

The layer 2 switch must be configured to disable non-essential capabilities.

1 rule found Severity: Medium

Logo

The Juniper EX switch must be configured to disable non-essential capabilities.

1 rule found Severity: High

Logo