Skip to content
Log In

CCI-000382

Configure the system to prohibit or restrict the use of organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.

Verify firewalld Enabled

26 rules found Severity: Medium

Logo

Disable Apache Qpid (qpidd)

15 rules found Severity: Low

Logo

Disable Network Router Discovery Daemon (rdisc)

15 rules found Severity: Medium

Logo

Configure the Firewalld Ports

13 rules found Severity: Medium

Logo

Disable ntpdate Service (ntpdate)

13 rules found Severity: Low

Logo

Disable Red Hat Network Service (rhnsd)

7 rules found Severity: Low

Logo

Disable Postfix Network Listening

21 rules found Severity: Medium

Logo

Install SuSEfirewall2 Package

1 rule found Severity: Medium

Logo

Enable the SuSEfirewall 2

1 rule found Severity: Medium

Logo

Only Allow Authorized Network Services in SuSEfirewall2

1 rule found Severity: Medium

Logo

Only Allow Authorized Network Services in ufw

2 rules found Severity: Medium

Logo

The A10 Networks ADC must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The A10 Networks ADC must disable management protocol access to all interfaces except the management interface.

1 rule found Severity: Medium

Logo

Compliance Guardian must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

1 rule found Severity: High

Logo

Compliance Guardian must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The Arista Multilayer Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

DocAve must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The BlackBerry UEM server platform must be protected by a DoD-approved firewall.

1 rule found Severity: Medium

Logo

The firewall protecting the BlackBerry UEM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BlackBerry UEM server and platform functions.

1 rule found Severity: Medium

Logo

The firewall protecting the BlackBerry UEM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).

1 rule found Severity: Medium

Logo

The BlackBerry UEM server Blackberry Web Services must not be authorized access from external sources unnecessarily.

1 rule found Severity: Medium

Logo

The BlackBerry Enterprise Mobility Server (BEMS) platform must be protected by a DoD-approved firewall.

1 rule found Severity: Medium

Logo

The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BEMS functions.

1 rule found Severity: Medium

Logo

The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured so that only DoD-approved ports, protocols, and services are enabled. See the DoD Ports, Protocols, Services Management (PPSM) Category Assurance Levels (CAL) list for DoD-approved ports, protocols, and services.

1 rule found Severity: Medium

Logo

The BlackBerry Enterprise Mobility Server (BEMS) platform must be protected by a DOD-approved firewall.

1 rule found Severity: Medium

Logo

The firewall protecting the BEMS must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support BEMS functions.

1 rule found Severity: Medium

Logo

The firewall protecting the BlackBerry Enterprise Mobility Server (BEMS) must be configured so that only DOD-approved ports, protocols, and services are enabled.

1 rule found Severity: Medium

Logo

The CA API Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

Citrix Linux Virtual Delivery Agent (LVDA) must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

Citrix Receiver must implement DoD-approved encryption.

1 rule found Severity: High

Logo

Citrix Windows Virtual Delivery Agent must be configured to prohibit or restrict the use of ports, as defined in the PPSM CAL and vulnerability assessments.

2 rules found Severity: Medium

Logo

TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.

1 rule found Severity: Medium

Logo

Docker Enterprise privileged ports must not be mapped within containers.

1 rule found Severity: High

Logo

Docker Enterprise incoming container traffic must be bound to a specific host interface.

1 rule found Severity: Medium

Logo

Docker Enterprise Swarm services must be bound to a specific host interface.

1 rule found Severity: Medium

Logo

The FortiGate device must prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services.

1 rule found Severity: High

Logo

CounterACT must disable all unnecessary and/or nonsecure plugins.

1 rule found Severity: High

Logo

The HP FlexFabric Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.

1 rule found Severity: High

Logo

The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

5 rules found Severity: High

Logo

The Infoblox system must prohibit or restrict unapproved services, ports, and protocols.

1 rule found Severity: Medium

Logo

The DataPower Gateway must have SSH and web management bound to the management interface and Telnet disabled.

1 rule found Severity: Medium

Logo

DB2 must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The IBM Aspera Console must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

IBM Aspera Faspex must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

IBM Aspera Shares must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The IBM Aspera High-Speed Transfer Endpoint must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The IBM Aspera High-Speed Transfer Server must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The IBM Aspera High-Speed Transfer Server must not use the root account for transfers.

1 rule found Severity: Medium

Logo

The IBM Aspera High-Speed Transfer Server must restrict Aspera transfer users to a limited part of the server's file system.

1 rule found Severity: Medium

Logo

The IBM Aspera High-Speed Transfer Server must set the default docroot to an empty folder.

1 rule found Severity: Medium

Logo

The DataPower Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The MaaS360 server platform must be protected by a DoD-approved firewall.

1 rule found Severity: Medium

Logo

The firewall protecting the MaaS360 server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MaaS360 server and platform functions.

1 rule found Severity: Medium

Logo

The firewall protecting the MaaS360 server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services.)

1 rule found Severity: Medium

Logo

The WebSphere Application Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

All IBM z/VM TCP/IP Ports must be restricted to ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

Infoblox systems configured to run the DNS service must be configured to prohibit or restrict unapproved ports and protocols.

1 rule found Severity: Medium

Logo

The DHCP service must not be enabled on an external authoritative name server.

1 rule found Severity: Medium

Logo

If cipher suites using pre-shared keys are used for device authentication, the ISEC7 EMM Suite must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are Government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.

1 rule found Severity: Medium

Logo

The Sentry must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

2 rules found Severity: Medium

Logo

The MDM server platform must be protected by a DoD-approved firewall.

1 rule found Severity: Medium

Logo

The firewall protecting the MDM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MDM server and platform functions.

1 rule found Severity: Medium

Logo

The firewall protecting the MDM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services.)

1 rule found Severity: Medium

Logo

SQL Server must be configured to prohibit or restrict the use of unauthorized network protocols.

1 rule found Severity: Medium

Logo

SQL Server must be configured to prohibit or restrict the use of unauthorized network ports.

1 rule found Severity: Medium

Logo

The Windows 2012 DNS Server must be configured to prohibit or restrict unapproved ports and protocols.

1 rule found Severity: Medium

Logo

The MFD must be configured to prohibit the use of all unnecessary and/or nonsecure functions, physical and logical ports, protocols, and/or services.

1 rule found Severity: Medium

Logo

Nutanix AOS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

OHS must be configured to use a specified IP address, port, and protocol.

1 rule found Severity: Medium

Logo

Oracle WebLogic must support the capability to disable network protocols deemed by the organization to be non-secure except for explicitly identified components in support of specific operational requirements.

1 rule found Severity: Medium

Logo

Oracle WebLogic must prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.

1 rule found Severity: Medium

Logo

The Riverbed Optimization System (RiOS) must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

Riverbed Optimization System (RiOS) must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

1 rule found Severity: High

Logo

The Samsung SDS EMM platform must be protected by a DoD-approved firewall.

1 rule found Severity: Medium

Logo

The firewall protecting the Samsung SDS EMM platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support Samsung SDS EMM and platform functions.

1 rule found Severity: Medium

Logo

The firewall protecting the Samsung SDS EMM platform must be configured so that only DoD-approved ports, protocols, and services are enabled. See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services.

1 rule found Severity: Medium

Logo

Symantec ProxySG must be configured to prohibit or restrict the use of network services as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: High

Logo

Firewall rules must be configured on the Tanium Endpoints for Client-to-Server communications.

4 rules found Severity: Medium

Logo

Firewall rules must be configured on the Tanium Server for Client-to-Server communications.

4 rules found Severity: Medium

Logo

Firewall rules must be configured on the Tanium Zone Server for Client-to-Zone Server communications.

5 rules found Severity: Medium

Logo

The Tanium Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

Symantec ProxySG must use only approved management services protocols.

1 rule found Severity: High

Logo

The Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

3 rules found Severity: Medium

Logo

The NSX-T Manager must not provide environment information to third parties.

1 rule found Severity: Medium

Logo

The NSX-T Manager must disable SSH.

1 rule found Severity: Low

Logo

The NSX-T Manager must disable unused local accounts.

1 rule found Severity: Medium

Logo

The NSX-T Manager must disable TLS 1.1 and enable TLS 1.2.

1 rule found Severity: Medium

Logo

The NSX-T Manager must disable SNMP v2.

1 rule found Severity: Medium

Logo

The NSX-T Manager must enable the global FIPS compliance mode for load balancers.

1 rule found Severity: Medium

Logo

The Workspace ONE UEM server must be protected by a DoD-approved firewall.

1 rule found Severity: Medium

Logo

The firewall protecting the Workspace ONE UEM server must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support MDM server and platform functions.

1 rule found Severity: Medium

Logo

The firewall protecting the Workspace ONE UEM server must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).

1 rule found Severity: Medium

Logo

The DOD Mobile Service Provider must not allow BYOADs in facilities where personally owned mobile devices are prohibited.

2 rules found Severity: Medium

Logo

The iOS/iPadOS 16 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.

1 rule found Severity: Medium

Logo

The macOS system must be configured to disable sending diagnostic and usage data to Apple.

2 rules found Severity: Medium

Logo

The macOS system must be configured to disable Remote Apple Events.

2 rules found Severity: Medium

Logo

The Ubuntu operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

2 rules found Severity: Medium

Logo

Unused database components that are integrated in MongoDB and cannot be uninstalled must be disabled.

3 rules found Severity: Medium

Logo

Windows Defender Firewall with Advanced Security must block unsolicited inbound connections when connected to a domain.

1 rule found Severity: High

Logo

Windows Defender Firewall with Advanced Security must block unsolicited inbound connections when connected to a private network.

1 rule found Severity: High

Logo

Windows Defender Firewall with Advanced Security must block unsolicited inbound connections when connected to a public network.

1 rule found Severity: High

Logo

The DBMS must support the organizational requirements to specifically prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services.

2 rules found Severity: Medium

Logo

The DBMS must support the disabling of network protocols deemed by the organization to be non-secure.

1 rule found Severity: Medium

Logo

PostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

3 rules found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.

1 rule found Severity: Medium

Logo

The EDB Postgres Advanced Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

2 rules found Severity: Medium

Logo

The BIG-IP appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.

1 rule found Severity: Medium

Logo

The BIG-IP Core implementation must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocol, and Service Management (PPSM) Category Assurance List (CAL) and vulnerability assessments.

1 rule found Severity: Medium

Logo

The iOS/iPadOS 17 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.

1 rule found Severity: Medium

Logo

Applications in privileged mode must be approved by the ISSO.

1 rule found Severity: Medium

Logo

The Arista network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

1 rule found Severity: High

Logo

The BIND 9.x server implementation must be configured to use only approved ports and protocols.

1 rule found Severity: Medium

Logo

IDMS nodes, lines, and pterms must be protected from unauthorized use.

1 rule found Severity: Medium

Logo

The Cisco ASA must be configured to prohibit the use of all unnecessary and/or non-secure functions, ports, protocols, and/or services.

1 rule found Severity: High

Logo

The Cisco ASA must be configured to use Internet Key Exchange v2 (IKEv2) for all IPsec security associations.

1 rule found Severity: Medium

Logo

The Cisco switch must be configured to prohibit the use of all unnecessary and nonsecure functions and services.

2 rules found Severity: High

Logo

The Cisco router must be configured to be configured to prohibit the use of all unnecessary and nonsecure functions and services.

1 rule found Severity: High

Logo

The Cisco ISE must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

1 rule found Severity: High

Logo

The Cisco ISE must be configured to disable Wireless Setup for production systems.

1 rule found Severity: High

Logo

The DNS server implementation must be configured to prohibit or restrict unapproved ports and protocols.

1 rule found Severity: Medium

Logo

The Enterprise Voice, Video, and Messaging Endpoint must be configured to only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).

1 rule found Severity: High

Logo

The F5 BIG-IP appliance must be configured to prohibit or restrict the use of unnecessary or prohibited functions, ports, protocols, and/or services, including those defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: High

Logo

The Enterprise Voice, Video, and Messaging Session Manager must only use ports, protocols, and services allowed per the Ports, Protocols, and Services Management (PPSM) Category Assurance List (CAL) and Vulnerability Assessments (VAs).

1 rule found Severity: High

Logo

The F5 BIG-IP appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

1 rule found Severity: High

Logo

The IPsec BIG-IP appliance must use IKEv2 for IPsec VPN security associations.

1 rule found Severity: Medium

Logo

The DOD Mobile Service Provider must not allow Google Android 13 BYOADs in facilities where personally owned mobile devices are prohibited.

1 rule found Severity: Medium

Logo

The Google Android 13 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.

1 rule found Severity: Medium

Logo

The DOD Mobile Service Provider must not allow Google Android 14 BYOADs in facilities where personally owned mobile devices are prohibited.

1 rule found Severity: Medium

Logo

The Google Android 14 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.

1 rule found Severity: Medium

Logo

The SSMC web server must be configured to use a specified IP address and port.

1 rule found Severity: Medium

Logo

HPE Nimble must be configured to disable HPE InfoSight.

1 rule found Severity: Medium

Logo

HPE Nimble must not be configured to use "HPE Greenlake: Data Services Cloud Console".

1 rule found Severity: Medium

Logo

HPE Alletra 5000/6000 must be configured to disable management by "HPE Greenlake: Data Services Cloud Console".

1 rule found Severity: Medium

Logo

The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.

1 rule found Severity: High

Logo

The HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.

1 rule found Severity: High

Logo

The HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.

1 rule found Severity: High

Logo

The WebSphere Liberty Server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

If Stream Control Transmission Protocol (SCTP) must be disabled on AIX.

1 rule found Severity: Medium

Logo

The Reliable Datagram Sockets (RDS) protocol must be disabled on AIX.

1 rule found Severity: Medium

Logo

If cipher suites using pre-shared keys are used for device authentication, the ISEC7 SPHERE must have a minimum security strength of 112 bits or higher, must only be used in networks where both the client and server are government systems, must prohibit client negotiation to TLS 1.1, TLS 1.0, SSL 2.0, or SSL 3.0 and must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithm for transmission.

1 rule found Severity: Medium

Logo

The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.

1 rule found Severity: Medium

Logo

The Juniper EX switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

1 rule found Severity: High

Logo

The Jamf Pro EMM server platform must be protected by a DoD-approved firewall.

1 rule found Severity: Medium

Logo

The firewall protecting the Jamf Pro EMM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support Jamf Pro EMM server and platform functions.

1 rule found Severity: Medium

Logo

The firewall protecting the Jamf Pro EMM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).

1 rule found Severity: Medium

Logo

JBoss application and management ports must be approved by the PPSM CAL.

1 rule found Severity: Medium

Logo

The Kubernetes API Server must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

1 rule found Severity: Medium

Logo

The Kubernetes Scheduler must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

1 rule found Severity: Medium

Logo

The Kubernetes Controllers must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

1 rule found Severity: Medium

Logo

The Kubernetes etcd must enforce ports, protocols, and services (PPS) that adhere to the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL).

1 rule found Severity: Medium

Logo

The Kubernetes cluster must use non-privileged host ports for user pods.

1 rule found Severity: Medium

Logo

Only required ports must be open on containers in MKE.

1 rule found Severity: High

Logo

MarkLogic Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

MKE must use a non-AUFS storage driver.

1 rule found Severity: Medium

Logo

Containers must not map to privileged ports.

1 rule found Severity: Medium

Logo

Supported authentication schemes must be configured.

1 rule found Severity: Medium

Logo

The Azure SQL Database must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

Each IIS 10.0 website must be assigned a default host header.

1 rule found Severity: Medium

Logo

Simple Network Management Protocol (SNMP) must not be installed on the system.

2 rules found Severity: Medium

Logo

The Telnet Client must not be installed on the system.

2 rules found Severity: Medium

Logo

The TFTP Client must not be installed on the system.

2 rules found Severity: Medium

Logo

Copilot in Windows must be disabled for Windows 11

1 rule found Severity: Medium

Logo

The Microsoft FTP service must not be installed unless required.

1 rule found Severity: Medium

Logo

The Telnet Client must not be installed.

1 rule found Severity: Medium

Logo

The network device must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services

1 rule found Severity: High

Logo

ONTAP must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

1 rule found Severity: High

Logo

The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.

1 rule found Severity: Medium

Logo

The MySQL Database Server 8.0 must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The Riverbed NetProfiler must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

1 rule found Severity: Medium

Logo

Redis Enterprise DBMS must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

Rancher MCM must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.

1 rule found Severity: High

Logo

Automation Controller must use encryption strength in accordance with the categorization of the management data during remote access management sessions.

1 rule found Severity: Medium

Logo

All Automation Controller NGINX web servers must be configured to use a specified IP address and port.

1 rule found Severity: Medium

Logo

SLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

1 rule found Severity: Medium

Logo

The DOD Mobile Service Provider must not allow Samsung Android 14 BYOADs in facilities where personally owned mobile devices are prohibited.

1 rule found Severity: Medium

Logo

The Samsung Android 14 BYOAD must be configured to disable device cameras and/or microphones when brought into DOD facilities where mobile phone cameras and/or microphones are prohibited.

1 rule found Severity: Medium

Logo

Firewall rules must be configured on the Tanium endpoints for client-to-server communications.

1 rule found Severity: Medium

Logo

Firewall rules must be configured on the Tanium Server for client-to-server communications.

1 rule found Severity: Medium

Logo

The Tanium Application Server must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM Category Assurance List (CAL) and vulnerability assessments.

1 rule found Severity: Medium

Logo

The TippingPoint SMS must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

1 rule found Severity: High

Logo

TOSS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The web server must be configured to use a specified IP address and port.

1 rule found Severity: Medium

Logo

Install firewalld Package

18 rules found Severity: Medium

Logo

Disable chrony daemon from acting as server

9 rules found Severity: Low

Logo

Disable network management of chrony daemon

9 rules found Severity: Low

Logo

Enable SSH Server firewalld Firewall Exception

9 rules found Severity: Medium

Logo

NixOS must enable the built-in firewall.

1 rule found Severity: Medium

Logo

AAA Services must be configured to use secure protocols when connecting to directory services.

1 rule found Severity: High

Logo

AAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: High

Logo

AAA Services must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The Apache web server must be configured to use a specified IP address and port.

4 rules found Severity: Medium

Logo

The macOS system must disable Remote Apple Events.

2 rules found Severity: Medium

Logo

The ALG must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The application server must prohibit or restrict the use of nonsecure ports, protocols, modules, and/or services as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The application must be configured to use only functions, ports, and protocols permitted to it in the PPSM CAL.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The Cisco router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.

2 rules found Severity: High

Logo

The Cisco switch must be configured to prohibit the use of all unnecessary and non-secure functions and services.

1 rule found Severity: High

Logo

The Mission Owner must configure the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) to prohibit or restrict the use of functions, ports, protocols, and/or services.

1 rule found Severity: Medium

Logo

The container platform runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.

1 rule found Severity: Medium

Logo

The container platform runtime must enforce the use of ports that are non-privileged.

1 rule found Severity: Medium

Logo

The firewalld service on AlmaLinux OS 9 must be active.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must have the firewalld package installed.

1 rule found Severity: Medium

Logo

The container platform must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission.

1 rule found Severity: High

Logo

The DBMS must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The Dell OS10 Switch must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

1 rule found Severity: High

Logo

The Dell OS10 Switch must be configured to disable the Bash shell.

1 rule found Severity: High

Logo

Forescout must use DOD-approved PKI rather than proprietary or self-signed device certificates.

1 rule found Severity: High

Logo

Forescout must disable the Request Customer Verification setting.

1 rule found Severity: Low

Logo

The operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

AOS must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

1 rule found Severity: High

Logo

The HYCU virtual appliance must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.

1 rule found Severity: High

Logo

For site-to-site VPN implementations using AOS, the Layer 2 Tunneling Protocol (L2TP) must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.

1 rule found Severity: Medium

Logo

The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F).

1 rule found Severity: Medium

Logo

AOS, when used as an IPsec VPN Gateway, must use Internet Key Exchange (IKE) for IPsec VPN security associations (SAs).

1 rule found Severity: High

Logo

The IDPS must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

IBM z/OS must properly protect MCS console userid(s).

3 rules found Severity: Medium

Logo

ACF2 BLPPGM GSO record must not be defined.

1 rule found Severity: Medium

Logo

IBM z/OS must properly configure CONSOLxx members.

3 rules found Severity: Medium

Logo

IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol.

3 rules found Severity: High

Logo

IBM z/OS User exits for the FTP Server must not be used without proper approval and documentation.

1 rule found Severity: Medium

Logo

IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified.

3 rules found Severity: Medium

Logo

The Juniper router must be configured to prohibit the use of all unnecessary and nonsecure functions and services.

1 rule found Severity: High

Logo

IBM z/OS user exits for the FTP server must not be used without proper approval and documentation.

2 rules found Severity: Medium

Logo

The Juniper SRX Services Gateway Firewall must be configured to prohibit or restrict the use of unauthorized functions, ports, protocols, and/or services, as defined in the PPSM CAL, vulnerability assessments.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway must be configured to prohibit the use of unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

For nonlocal maintenance sessions, the Juniper SRX Services Gateway must remove or explicitly deny the use of nonsecure protocols.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway must use and securely configure SNMPv3 if SNMP is enabled.

1 rule found Severity: High

Logo

The Juniper SRX Services Gateway must ensure SSH is disabled for root user logon to prevent remote access using the root account.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway must ensure access to start a UNIX-level shell is restricted to only the root account.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway must ensure TCP forwarding is disabled for SSH to prevent unauthorized access.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway must be configured with only one local user account to be used as the account of last resort.

1 rule found Severity: Medium

Logo

For nonlocal maintenance sessions, the Juniper SRX Services Gateway must explicitly deny the use of J-Web.

1 rule found Severity: High

Logo

MariaDB must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway VPN must use IKEv2 for IPsec VPN security associations.

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway VPN must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

When configuring SharePoint Central Administration, the port number selected must comply with DoD Ports and Protocol Management (PPSM) program requirements.

1 rule found Severity: Medium

Logo

SQL Server must be configured to prohibit or restrict the use of organization-defined protocols as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

SQL Server must be configured to prohibit or restrict the use of organization-defined ports, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization.

1 rule found Severity: Medium

Logo

Windows Server 2019 must not have the Telnet Client installed.

1 rule found Severity: Medium

Logo

Copilot in Windows must be disabled for Windows 10.

1 rule found Severity: Medium

Logo

Windows Server 2022 must not have the Microsoft FTP service installed unless required by the organization.

1 rule found Severity: Medium

Logo

Windows Server 2022 must not have the Telnet Client installed.

1 rule found Severity: Medium

Logo

The DBMS must support the disabling of network protocols deemed by the organization to be nonsecure.

1 rule found Severity: Medium

Logo

Prisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL).

1 rule found Severity: High

Logo

Prisma Cloud Compute must use TCP ports above 1024.

1 rule found Severity: Medium

Logo

The Palo Alto Networks security platform must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.

1 rule found Severity: High

Logo

Rancher RKE2 runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.

1 rule found Severity: Medium

Logo

OpenShift runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.

1 rule found Severity: Medium

Logo

Container images instantiated by OpenShift must execute using least privileges.

1 rule found Severity: High

Logo

OL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

1 rule found Severity: Medium

Logo

The Palo Alto Networks security platform must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

RHEL 9 must have the firewalld package installed.

1 rule found Severity: Medium

Logo

The firewalld service on RHEL 9 must be active.

1 rule found Severity: Medium

Logo

RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

1 rule found Severity: Medium

Logo

RHEL 9 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

1 rule found Severity: Medium

Logo

RHEL 9 must disable the chrony daemon from acting as a server.

1 rule found Severity: Low

Logo

RHEL 9 must disable network management of the chrony daemon.

1 rule found Severity: Low

Logo

The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

2 rules found Severity: Medium

Logo

The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).

2 rules found Severity: Medium

Logo

The firewall protecting the UEM server platform must be configured so only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).

1 rule found Severity: Medium

Logo

The UEM server must be configured to use only documented platform APIs.

1 rule found Severity: Medium

Logo

The VMM must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The Photon operating system must disable the loading of unnecessary kernel modules.

1 rule found Severity: Medium

Logo

VMware Postgres must be configured to use the correct port.

1 rule found Severity: Medium

Logo

The vCenter ESX Agent Manager service must be configured to use a specified IP address and port.

2 rules found Severity: Medium

Logo

The vCenter Lookup service must be configured to use a specified IP address and port.

2 rules found Severity: Medium

Logo

The vCenter Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.

1 rule found Severity: High

Logo

The vCenter Perfcharts service must be configured to use a specified IP address and port.

2 rules found Severity: Medium

Logo

The VPN Gateway must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

1 rule found Severity: Medium

Logo

The IPsec VPN Gateway must use IKEv2 for IPsec VPN security associations.

1 rule found Severity: Medium

Logo

The Remote Access VPN Gateway must be configured to prohibit Point-to-Point Tunneling Protocol (PPTP) and L2F.

1 rule found Severity: Medium

Logo

For site-to-site VPN implementations, the L2TP protocol must be blocked or denied at the security boundary with the private network so unencrypted L2TP packets cannot traverse into the private network of the enclave.

1 rule found Severity: Medium

Logo

The vCenter PostgreSQL service must be configured to use an authorized port.

2 rules found Severity: Medium

Logo

The vCenter STS service must be configured to use a specified IP address and port.

2 rules found Severity: Medium

Logo

The vCenter UI service must be configured to use a specified IP address and port.

2 rules found Severity: Medium

Logo

The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.

1 rule found Severity: Medium

Logo

The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.

3 rules found Severity: Medium

Logo

Citrix Delivery Controller must implement DoD-approved encryption.

1 rule found Severity: High

Logo