Capacity
CCI-000764
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
21
Rule
Severity: Medium
Ensure All Accounts on the System Have Unique User IDs
19
Rule
Severity: Medium
Ensure All Groups on the System Have Unique Group ID
30
Rule
Severity: Low
All GIDs referenced in /etc/passwd must be defined in /etc/group
5
Rule
Severity: Medium
Enable Smart Card Login
6
Rule
Severity: Medium
Ensure Insecure File Locking is Not Allowed
1
Rule
Severity: Medium
Ensure no duplicate UIDs exist
1
Rule
Severity: Medium
The A10 Networks ADC must not have any shared accounts (other than the emergency administration account).
1
Rule
Severity: High
The A10 Networks ADC must not use the default admin account.
1
Rule
Severity: High
The A10 Networks ADC must not use the default enable password.
2
Rule
Severity: High
AAA Services must be configured to uniquely identify and authenticate organizational users.
2
Rule
Severity: Medium
Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.
2
Rule
Severity: Medium
The ALG providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.
2
Rule
Severity: Medium
The ALG providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
2
Rule
Severity: Medium
The ALG providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).
2
Rule
Severity: Medium
The application server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).
2
Rule
Severity: High
The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: Medium
All BlackBerry UEM server local accounts created during application installation and configuration must be disabled or removed.
2
Rule
Severity: Medium
The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use Windows Authentication for the database connection.
2
Rule
Severity: Medium
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.
2
Rule
Severity: Medium
If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Integrated Authentication for the Exchange connection.
2
Rule
Severity: Medium
If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.
2
Rule
Severity: Medium
If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.
2
Rule
Severity: Medium
If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use NTLM authentication.
1
Rule
Severity: Medium
The CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: Medium
The CA API Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) that validate user account access authorizations and privileges.
1
Rule
Severity: Medium
The CA API Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).
2
Rule
Severity: Medium
The IDMS environment must require sign-on for users and restrict them to only authorized functions.
2
Rule
Severity: High
The Central Log Server must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: Medium
LDAP integration in Docker Enterprise must be configured.
1
Rule
Severity: Medium
If user authentication services are provided, CounterACT must be configured with a pre-established trust relationship and mechanisms with a central directory service that validates user account access authorizations and privileges.
1
Rule
Severity: Medium
If user authentication services are provided, CounterACT must restrict user authentication traffic to specific authentication server(s).
1
Rule
Severity: High
The storage system must only be operated in conjunction with an LDAP server in a trusted environment if an Active Directory server is not available.
1
Rule
Severity: High
The storage system must only be operated in conjunction with an Active Directory server in a trusted environment if an LDAP server is not available.
1
Rule
Severity: Medium
IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.
1
Rule
Severity: Medium
IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: Medium
IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server must restrict the transfer user(s) to the "aspshell".
1
Rule
Severity: Medium
The DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: Medium
The DataPower Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.
1
Rule
Severity: Medium
The DataPower Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).
1
Rule
Severity: Medium
The MQ Appliance messaging server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).
2
Rule
Severity: Medium
The WebSphere Liberty Server must use an LDAP user registry.
2
Rule
Severity: Medium
Basic Authentication must be disabled.
1
Rule
Severity: Medium
The MQ Appliance network device must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
1
Rule
Severity: Medium
The WebSphere Application Server LDAP user registry must be used.
1
Rule
Severity: Medium
The WebSphere Application Server local file-based user registry must not be used.
1
Rule
Severity: Medium
CA VM:Secure product NORULE record in the SECURITY CONFIG file must be configured to REJECT.
1
Rule
Severity: High
MobileIron Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
2
Rule
Severity: Medium
The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.
2
Rule
Severity: High
ISEC7 EMM Suite must disable or delete local account created during application installation and configuration.
2
Rule
Severity: Medium
The Sentry providing mobile device access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate mobile device account access authorizations and privileges.
2
Rule
Severity: Medium
The Sentry providing mobile device authentication intermediary services must restrict mobile device authentication traffic to specific authentication server(s).
2
Rule
Severity: Medium
All Jamf Pro EMM server local accounts created during application installation and configuration must be disabled.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
2
Rule
Severity: Medium
The Mainframe Product must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
2
Rule
Severity: Medium
Azure SQL Database must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
3
Rule
Severity: Medium
SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
2
Rule
Severity: High
ONTAP must be configured to use an authentication server to provide multifactor authentication.
2
Rule
Severity: High
The network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
1
Rule
Severity: Medium
Nutanix AOS must use an enterprise user management system to uniquely identify and authenticate users.
1
Rule
Severity: High
Oracle WebLogic must uniquely identify and authenticate users (or processes acting on behalf of users).
2
Rule
Severity: Medium
All Prisma Cloud Compute users must have a unique, individual account.
2
Rule
Severity: Medium
Prisma Cloud Compute Console must run as nonroot user (uid 2674).
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.
2
Rule
Severity: High
Splunk Enterprise must use organization level authentication to uniquely identify and authenticate users.
2
Rule
Severity: High
Splunk Enterprise must have all local user accounts removed after implementing organizational level user management system, except for one emergency account of last resort.
1
Rule
Severity: High
Symantec ProxySG must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: High
Symantec ProxySG must be configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate user account access authorizations and privileges.
1
Rule
Severity: High
Symantec ProxySG providing user authentication intermediary services must restrict user authentication traffic to specific authentication servers.
2
Rule
Severity: Medium
Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
3
Rule
Severity: Medium
Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
1
Rule
Severity: Medium
Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
2
Rule
Severity: Medium
The UEM server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: High
The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.
1
Rule
Severity: Medium
All Workspace ONE UEM server local accounts created during application installation and configuration must be disabled or removed.
2
Rule
Severity: Medium
The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
2
Rule
Severity: Medium
DCAF Console access must require a password to be entered by each user.
2
Rule
Severity: Medium
Tomcat management applications must use LDAP realm authentication.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: use SSL for Exchange ActiveSync.
3
Rule
Severity: Medium
Apple iOS/iPadOS 16 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 16 Mail app.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: use SSL for Exchange ActiveSync.
3
Rule
Severity: Medium
Apple iOS/iPadOS 17 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 17 Mail app.
2
Rule
Severity: Medium
The macOS system must disable logon to other user's active and locked sessions.
2
Rule
Severity: Medium
The macOS system must disable root logon.
2
Rule
Severity: Medium
The macOS system must configure login window to prompt for username and password.
3
Rule
Severity: Medium
The Ubuntu operating system must uniquely identify interactive users.
4
Rule
Severity: Medium
PostgreSQL must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
2
Rule
Severity: Medium
The Cisco ASA remote access VPN server must be configured to identify and authenticate users before granting access to the network.
2
Rule
Severity: Medium
The container platform must uniquely identify and authenticate users.
2
Rule
Severity: Medium
The container platform application program interface (API) must uniquely identify and authenticate users.
2
Rule
Severity: Medium
The container platform must uniquely identify and authenticate processes acting on behalf of the users.
2
Rule
Severity: Medium
The container platform application program interface (API) must uniquely identify and authenticate processes acting on behalf of the users.
3
Rule
Severity: Medium
The EDB Postgres Advanced Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
5
Rule
Severity: Medium
The DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: Medium
IBM z/OS Certificate Name Filtering must be implemented with appropriate authorization and documentation.
2
Rule
Severity: Medium
The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).
2
Rule
Severity: Medium
The HPE 3PAR OS must be configured for centralized account management functions via LDAP.
2
Rule
Severity: Medium
The HPE 3PAR OS must provide automated mechanisms for supporting account management functions via AD.
2
Rule
Severity: High
All accounts on AIX system must have unique account names.
2
Rule
Severity: High
All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users).
2
Rule
Severity: High
The AIX SYSTEM attribute must not be set to NONE for any account.
2
Rule
Severity: Medium
IBM z/OS Started Tasks must be properly identified and defined to ACF2.
6
Rule
Severity: High
IBM z/OS UID(0) must be properly assigned.
2
Rule
Severity: Medium
IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.
2
Rule
Severity: Medium
IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.
2
Rule
Severity: Medium
ACF2 LOGONIDs must be defined with the required fields completed.
2
Rule
Severity: Medium
CA-ACF2 defined user accounts must uniquely identify system users.
2
Rule
Severity: Medium
IBM z/OS must have Certificate Name Filtering implemented with appropriate authorization and documentation.
2
Rule
Severity: Medium
IBM z/OS FTP Server daemon must be defined with proper security parameters.
2
Rule
Severity: Medium
IBM z/OS Syslog daemon must be started at z/OS initialization.
2
Rule
Severity: Medium
IBM z/OS Syslog daemon must be properly defined and secured.
2
Rule
Severity: Medium
IBM z/OS Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
2
Rule
Severity: Medium
IBM z/OS user account for the z/OS UNIX SUPERSUSER userid must be properly defined.
6
Rule
Severity: Medium
IBM z/OS UNIX user accounts must be properly defined.
4
Rule
Severity: Medium
IBM z/OS UNIX groups must be defined with a unique GID.
2
Rule
Severity: Medium
IBM z/OS Attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.
2
Rule
Severity: Medium
IBM z/OS Attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.
2
Rule
Severity: Medium
IBM Integrated Crypto Service Facility (ICSF) Started Task name must be properly identified / defined to the system ACP.
2
Rule
Severity: Medium
Certificate Name Filtering must be implemented with appropriate authorization and documentation.
2
Rule
Severity: Medium
The CA-TSS CPFRCVUND Control Option value specified must be set to NO.
2
Rule
Severity: Medium
The CA-TSS CPFTARGET Control Option value specified must be set to LOCAL.
2
Rule
Severity: Low
CA-TSS User ACIDs and Control ACIDs must have the NAME field completed.
2
Rule
Severity: High
The CA-TSS PASSWORD(NOPW) option must not be specified for any ACID type.
2
Rule
Severity: Low
Interactive ACIDs defined to CA-TSS must have the required fields completed.
2
Rule
Severity: Medium
CA-TSS Batch ACID(s) submitted through RJE and NJE must be sourced.
2
Rule
Severity: Medium
IBM z/OS DASD management ACIDs must be properly defined to CA-TSS.
4
Rule
Severity: Medium
The IBM z/OS FTP server daemon must be defined with proper security parameters.
2
Rule
Severity: Medium
IBM RACF users must have the required default fields.
2
Rule
Severity: Medium
IBM interactive USERIDs defined to RACF must have the required fields completed.
2
Rule
Severity: Medium
IBM z/OS Started Tasks must be properly identified and defined to RACF.
2
Rule
Severity: Medium
The IBM RACF Automatic Data Set Protection (ADSP) SETROPTS value must be set to NOADSP.
2
Rule
Severity: Medium
IBM RACF user accounts must uniquely identify system users.
2
Rule
Severity: Medium
The IBM z/OS Syslog daemon must not be started at z/OS initialization.
4
Rule
Severity: Medium
The IBM z/OS Syslog daemon must be properly defined and secured.
2
Rule
Severity: Medium
IBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements.
2
Rule
Severity: Medium
The IBM z/OS Syslog daemon must be started at z/OS initialization.
4
Rule
Severity: Medium
The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.
4
Rule
Severity: Medium
The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined.
4
Rule
Severity: Medium
The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.
4
Rule
Severity: Medium
IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.
2
Rule
Severity: Medium
IBM z/OS attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.
4
Rule
Severity: Medium
IBM Integrated Crypto Service Facility (ICSF) Started Task name is not properly identified / defined to the system ACP.
2
Rule
Severity: Medium
IBM Integrated Crypto Service Facility (ICSF) Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
The ICS must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
2
Rule
Severity: Medium
IBM Integrated Crypto Service Facility (ICSF) Started task(s) must be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
2
Rule
Severity: Medium
MarkLogic Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
2
Rule
Severity: Medium
MariaDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
3
Rule
Severity: Medium
MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
4
Rule
Severity: Medium
The built-in administrator account must be disabled.
2
Rule
Severity: Medium
Shared user accounts must not be permitted on the system.
2
Rule
Severity: Medium
Outdated or unused accounts must be removed from the system or disabled.
2
Rule
Severity: Medium
Windows Server 2016 accounts must require passwords.
2
Rule
Severity: Medium
Windows Server 2019 shared user accounts must not be permitted.
2
Rule
Severity: Medium
Windows Server 2019 accounts must require passwords.
2
Rule
Severity: Medium
Windows Server 2022 shared user accounts must not be permitted.
2
Rule
Severity: Medium
Windows Server 2022 accounts must require passwords.
1
Rule
Severity: Medium
The DBMS must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
2
Rule
Severity: Medium
The DBMS must ensure users are authenticated with an individual authenticator prior to using a shared authenticator.
2
Rule
Severity: Medium
The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
2
Rule
Severity: Low
The Oracle Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.
2
Rule
Severity: Medium
OL 8 duplicate User IDs (UIDs) must not exist for interactive users.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
2
Rule
Severity: Medium
The Palo Alto Networks security platform must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
2
Rule
Severity: High
The Palo Alto Networks security platform must not use the default admin account password.
2
Rule
Severity: Medium
Automation Controller must be configured to use an enterprise user management system.
2
Rule
Severity: Medium
Redis Enterprise DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
2
Rule
Severity: High
OpenShift RBAC access controls must be enforced.
2
Rule
Severity: High
OpenShift must disable root and terminate network connections.
1
Rule
Severity: Low
The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.
2
Rule
Severity: Medium
RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users.
4
Rule
Severity: Medium
The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.
2
Rule
Severity: Medium
RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users.
2
Rule
Severity: Medium
All RHEL 9 interactive users must have a primary group that exists.
2
Rule
Severity: Medium
RHEL 9 groups must have unique Group ID (GID).
1
Rule
Severity: Medium
RHEL 9 must use the CAC smart card driver.
4
Rule
Severity: Medium
Duplicate User IDs (UIDs) must not exist for users within the organization.
2
Rule
Severity: High
Splunk Enterprise must use organization-level authentication to uniquely identify and authenticate users.
2
Rule
Severity: Medium
The VMM must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: Low
The ESXi host must use Active Directory for local user authentication.
1
Rule
Severity: Medium
ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.
1
Rule
Severity: Medium
Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.
4
Rule
Severity: Medium
The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
3
Rule
Severity: Low
The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.
4
Rule
Severity: Medium
The Photon operating system must not have duplicate User IDs (UIDs).
1
Rule
Severity: Low
VMware Postgres must require authentication on all connections.
6
Rule
Severity: Medium
BMC CONTROL-D Started Task name is not properly identified / defined to the system ACP.
6
Rule
Severity: Medium
BMC CONTROL-O Started Task name is not properly identified / defined to the system ACP.
6
Rule
Severity: Medium
BMC IOA Started Task name must be properly identified and defined to the system ACP.
2
Rule
Severity: Medium
BMC Mainview for z/OS Started Task name must be properly identified and/or defined to the system ACP.
6
Rule
Severity: Medium
CA Common Services Started Task name will be properly identified and/or defined to the system ACP.
6
Rule
Severity: Medium
CA VTAPE Started Task name is not properly identified/defined to the system ACP.
6
Rule
Severity: Medium
BMC CONTROL-M Started Task name is not properly identified / defined to the system ACP.
2
Rule
Severity: Medium
BMC CONTROL-M Started task(s) must be properly defined to the STARTED resource class for RACF.
3
Rule
Severity: Medium
The vCenter PostgreSQL service must require authentication on all connections.
6
Rule
Severity: Medium
CA 1 Tape Management Started Task name will be properly identified and/or defined to the system ACP.
6
Rule
Severity: Medium
CA MIM Resource Sharing Started Task name will be properly identified and/or defined to the system ACP.
2
Rule
Severity: Medium
BMC CONTROL-D Started task(s) must be properly defined to the STARTED resource class for RACF.
6
Rule
Severity: Medium
CL/SuperSession Started Task name is not properly identified / defined to the system ACP.
6
Rule
Severity: Medium
Compuware Abend-AID Started Task name will be properly identified and/or defined to the system ACP.
6
Rule
Severity: Medium
IBM CSSMTP Started Task name is not properly identified and/or defined to the system ACP.
4
Rule
Severity: Medium
CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.
6
Rule
Severity: Medium
CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.
2
Rule
Severity: Medium
BMC CONTROL-O Started task(s) must be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: Medium
BMC IOA Started task(s) must be properly defined to the STARTED resource class for RACF.
4
Rule
Severity: Medium
BMC Mainview for z/OS Started Task name is not properly identified and/or defined to the system ACP.
2
Rule
Severity: Medium
BMC Mainview for z/OS Started task(s) must be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: Medium
CA 1 Tape Management Started task will be properly defined to the STARTED resource class for RACF.
6
Rule
Severity: Medium
IBM System Display and Search Facility (SDSF) Started Task name will be properly identified and/or defined to the system ACP.
2
Rule
Severity: Medium
CA MIM Resource Sharing Started task will be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: Medium
CA VTAPE Started task(s) must be properly defined to the STARTED resource class for RACF.
6
Rule
Severity: Medium
Quest NC-Pass Started Task name will be properly identified and/or defined to the system ACP.
6
Rule
Severity: Medium
Tivoli Asset Discovery for z/OS (TADz) Started Task name(s) must be properly identified / defined to the system ACP.
2
Rule
Severity: Medium
IBM CSSMTP Started task(s) must be properly defined to the STARTED resource class for RACF.
6
Rule
Severity: Medium
WebSphere MQ started tasks are not defined in accordance with the proper security requirements.
6
Rule
Severity: Medium
WebSphere MQ dead letter and alias dead letter queues are not properly defined.
2
Rule
Severity: Medium
BMC CONTROL-D Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
6
Rule
Severity: Medium
IBM Health Checker Started Task name will be properly identified and/or defined to the system ACP.
2
Rule
Severity: Medium
CA Common Services Started task will be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: Medium
NetView Started Task name must be properly identified / defined to the system ACP.
2
Rule
Severity: Medium
CL/SuperSession Started task(s) must be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: Medium
Compuware Abend-AID Started task will be properly defined to the STARTED resource class for RACF.
6
Rule
Severity: Medium
ROSCOE Started Task name is not properly identified / defined to the system ACP.
2
Rule
Severity: Medium
CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.
2
Rule
Severity: Medium
BMC CONTROL-M Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
BMC CONTROL-M is not properly defined to the Facility Matrix Table for Top Secret.
2
Rule
Severity: Medium
BMC IOA Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
BMC IOA is not properly defined to the Facility Matrix Table for Top Secret.
2
Rule
Severity: Medium
IBM Tivoli Asset Discovery for zOS (TADz) Started task(s) must be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: Medium
CA 1 Tape Management Started task will be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
CA 1 Tape Management will be properly defined to the Facility Matrix Table.
2
Rule
Severity: Medium
CA Common Services Started task will be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
BMC CONTROL-D is not properly defined to the Facility Matrix Table for Top Secret.
2
Rule
Severity: Medium
IBM Health Checker Started task will be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: Medium
IBM System Display and Search Facility (SDSF) Started task will be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: Medium
BMC CONTROL-O Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
BMC CONTROL-O is not properly defined to the Facility Matrix Table for Top Secret.
2
Rule
Severity: Medium
NetView Started Task name(s) is not properly identified / defined to the system ACP.
2
Rule
Severity: Medium
IBM Tivoli NetView Started task(s) must be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: Medium
Quest NC-Pass Started task will be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: Medium
BMC Mainview for z/OS Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
BMC Mainview for z/OS is not properly defined to the Facility Matrix Table for Top Secret.
2
Rule
Severity: Medium
CA MIM Resource Sharing Started task will be properly defined to the Started Task Table for Top Secret.
2
Rule
Severity: Medium
CA VTAPE Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
CL/SuperSession Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
CL/SuperSession is not properly defined to the Facility Matrix Table for Top Secret.
2
Rule
Severity: Medium
Compuware Abend-AID Started task will be properly defined to the Started Task Table for Top Secret.
2
Rule
Severity: Medium
IBM CSSMTP Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
ROSCOE Started task(s) must be properly defined to the STARTED resource class for RACF.
2
Rule
Severity: Medium
IBM Health Checker Started task will be properly defined to the Started Task Table for Top Secret.
1
Rule
Severity: Medium
The BIG-IP APM module must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users) when connecting to virtual servers.
1
Rule
Severity: Medium
The BIG-IP APM module must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or authentication, authorization, and accounting (AAA) server) that validate user account access authorizations and privileges when providing access control to virtual servers.
1
Rule
Severity: Medium
The BIG-IP APM module must restrict user authentication traffic to specific authentication server(s) when providing user authentication to virtual servers.
2
Rule
Severity: Medium
IBM System Display and Search Facility (SDSF) Started task will be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
NetView Started Task name(s) is not properly identified / defined to the system ACP.
2
Rule
Severity: Medium
IBM Tivoli NetView Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
NetView is not properly defined to the Facility Matrix Table for Top Secret.
2
Rule
Severity: Medium
Quest NC-Pass Started task will be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
Quest NC-Pass will be properly defined to the Facility Matrix Table.
2
Rule
Severity: Medium
IBM Tivoli Asset Discovery for zOS (TADz) Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
1
Rule
Severity: High
The BIG-IP appliance must be configured to uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users) when connecting to virtual servers.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or authentication, authorization, and accounting (AAA) server) that validate user account access authorizations and privileges when providing access control to virtual servers.
1
Rule
Severity: Medium
The BIG-IP Core implementation providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s) when providing access control to virtual servers.
2
Rule
Severity: Medium
ROSCOE Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.
2
Rule
Severity: Medium
ROSCOE is not properly defined to the Facility Matrix Table for Top Secret.
1
Rule
Severity: Medium
The macOS system must disable login to other users' active and locked sessions.
1
Rule
Severity: Medium
The macOS system must disable root login.
1
Rule
Severity: High
The macOS system must disable unattended or automatic login to the system.
1
Rule
Severity: Medium
The macOS system must configure the login window to prompt for username and password.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must uniquely identify interactive users.
1
Rule
Severity: Medium
The cloud service offering (CSO) must be configured to use DOD public key infrastructure (PKI) to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: High
The Enterprise Voice, Video, and Messaging Endpoint must be configured to uniquely identify participating users.
1
Rule
Severity: High
The F5 BIG-IP appliance providing user authentication intermediary services must uniquely identify and authenticate users using redundant authentication servers and multifactor authentication (MFA).
1
Rule
Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use an organizational-level user account management system.
1
Rule
Severity: High
The F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins.
1
Rule
Severity: Medium
Started tasks for zSecure products must be properly defined.
1
Rule
Severity: High
ISEC7 SPHERE must disable or delete local account created during application installation and configuration.
1
Rule
Severity: High
Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.
1
Rule
Severity: Medium
MKE must not permit users to create pods that share host process namespace.
1
Rule
Severity: Medium
RHEL 9 must use the common access card (CAC) smart card driver.
1
Rule
Severity: Medium
SLEM 5 must not have duplicate User IDs (UIDs) for interactive users.
1
Rule
Severity: Medium
TOSS duplicate User IDs (UIDs) must not exist for interactive users.
1
Rule
Severity: High
Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must implement the management setting: use SSL for Exchange ActiveSync.
1
Rule
Severity: Medium
Apple iOS/iPadOS 18 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 18 Mail app.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules