Skip to content
Log In

CCI-000764

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

Ensure All Accounts on the System Have Unique User IDs

26 rules found Severity: Medium

Logo

Ensure All Groups on the System Have Unique Group ID

23 rules found Severity: Medium

Logo

All GIDs referenced in /etc/passwd must be defined in /etc/group

33 rules found Severity: Low

Logo

Enable Smart Card Login

5 rules found Severity: Medium

Logo

Ensure Insecure File Locking is Not Allowed

6 rules found Severity: Medium

Logo

Ensure no duplicate UIDs exist

2 rules found Severity: Medium

Logo

The A10 Networks ADC must not have any shared accounts (other than the emergency administration account).

1 rule found Severity: Medium

Logo

The A10 Networks ADC must not use the default admin account.

1 rule found Severity: High

Logo

The A10 Networks ADC must not use the default enable password.

1 rule found Severity: High

Logo

All BlackBerry UEM server local accounts created during application installation and configuration must be disabled or removed.

1 rule found Severity: Medium

Logo

The BlackBerry Enterprise Mobility Server (BEMS) must be configured to use Windows Authentication for the database connection.

2 rules found Severity: Medium

Logo

If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.

2 rules found Severity: Medium

Logo

If the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Integrated Authentication for the Exchange connection.

2 rules found Severity: Medium

Logo

If the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.

2 rules found Severity: Medium

Logo

If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.

2 rules found Severity: Medium

Logo

If the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use NTLM authentication.

2 rules found Severity: Medium

Logo

The CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The CA API Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) that validate user account access authorizations and privileges.

1 rule found Severity: Medium

Logo

The CA API Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).

1 rule found Severity: Medium

Logo

LDAP integration in Docker Enterprise must be configured.

1 rule found Severity: Medium

Logo

If user authentication services are provided, CounterACT must be configured with a pre-established trust relationship and mechanisms with a central directory service that validates user account access authorizations and privileges.

1 rule found Severity: Medium

Logo

If user authentication services are provided, CounterACT must restrict user authentication traffic to specific authentication server(s).

1 rule found Severity: Medium

Logo

The storage system must only be operated in conjunction with an LDAP server in a trusted environment if an Active Directory server is not available.

1 rule found Severity: High

Logo

The storage system must only be operated in conjunction with an Active Directory server in a trusted environment if an LDAP server is not available.

1 rule found Severity: High

Logo

IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.

1 rule found Severity: Medium

Logo

IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The IBM Aspera High-Speed Transfer Server must restrict the transfer user(s) to the "aspshell".

1 rule found Severity: Medium

Logo

The DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The DataPower Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.

1 rule found Severity: Medium

Logo

The DataPower Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).

1 rule found Severity: Medium

Logo

The MQ Appliance messaging server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The MQ Appliance network device must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).

1 rule found Severity: Medium

Logo

The WebSphere Application Server LDAP user registry must be used.

1 rule found Severity: Medium

Logo

The WebSphere Application Server local file-based user registry must not be used.

1 rule found Severity: Medium

Logo

CA VM:Secure product NORULE record in the SECURITY CONFIG file must be configured to REJECT.

1 rule found Severity: Medium

Logo

MobileIron Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

1 rule found Severity: High

Logo

ISEC7 EMM Suite must disable or delete local account created during application installation and configuration.

1 rule found Severity: High

Logo

The Sentry providing mobile device access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate mobile device account access authorizations and privileges.

2 rules found Severity: Medium

Logo

The Sentry providing mobile device authentication intermediary services must restrict mobile device authentication traffic to specific authentication server(s).

2 rules found Severity: Medium

Logo

SQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

2 rules found Severity: Medium

Logo

Nutanix AOS must use an enterprise user management system to uniquely identify and authenticate users.

1 rule found Severity: Medium

Logo

Oracle WebLogic must uniquely identify and authenticate users (or processes acting on behalf of users).

1 rule found Severity: High

Logo

Symantec ProxySG must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: High

Logo

Symantec ProxySG must be configured with a pre-established trust relationship and mechanisms with appropriate authorities that validate user account access authorizations and privileges.

1 rule found Severity: High

Logo

Symantec ProxySG providing user authentication intermediary services must restrict user authentication traffic to specific authentication servers.

1 rule found Severity: High

Logo

Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

2 rules found Severity: Medium

Logo

Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

1 rule found Severity: Medium

Logo

The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.

1 rule found Severity: High

Logo

All Workspace ONE UEM server local accounts created during application installation and configuration must be disabled or removed.

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 16 must implement the management setting: use SSL for Exchange ActiveSync.

2 rules found Severity: Medium

Logo

Apple iOS/iPadOS 16 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 16 Mail app.

2 rules found Severity: Medium

Logo

The Ubuntu operating system must uniquely identify interactive users.

2 rules found Severity: Medium

Logo

MongoDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

3 rules found Severity: Medium

Logo

The DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

3 rules found Severity: Medium

Logo

The DBMS must ensure users are authenticated with an individual authenticator prior to using a group authenticator.

1 rule found Severity: Medium

Logo

PostgreSQL must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

3 rules found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.

1 rule found Severity: Low

Logo

The EDB Postgres Advanced Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

2 rules found Severity: Medium

Logo

The BIG-IP APM module must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users) when connecting to virtual servers.

1 rule found Severity: Medium

Logo

The BIG-IP APM module must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or authentication, authorization, and accounting (AAA) server) that validate user account access authorizations and privileges when providing access control to virtual servers.

1 rule found Severity: Medium

Logo

The BIG-IP APM module must restrict user authentication traffic to specific authentication server(s) when providing user authentication to virtual servers.

1 rule found Severity: Medium

Logo

The BIG-IP appliance must be configured to uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).

1 rule found Severity: High

Logo

The BIG-IP Core implementation must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users) when connecting to virtual servers.

1 rule found Severity: Medium

Logo

The BIG-IP Core implementation must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or authentication, authorization, and accounting (AAA) server) that validate user account access authorizations and privileges when providing access control to virtual servers.

1 rule found Severity: Medium

Logo

The BIG-IP Core implementation providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s) when providing access control to virtual servers.

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 17 must implement the management setting: use SSL for Exchange ActiveSync.

2 rules found Severity: Medium

Logo

Apple iOS/iPadOS 17 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 17 Mail app.

2 rules found Severity: Medium

Logo

Tomcat management applications must use LDAP realm authentication.

1 rule found Severity: Medium

Logo

The IDMS environment must require sign-on for users and restrict them to only authorized functions.

1 rule found Severity: Medium

Logo

The Cisco ASA remote access VPN server must be configured to identify and authenticate users before granting access to the network.

1 rule found Severity: Medium

Logo

The Enterprise Voice, Video, and Messaging Endpoint must be configured to uniquely identify participating users.

1 rule found Severity: High

Logo

The F5 BIG-IP appliance providing user authentication intermediary services must uniquely identify and authenticate users using redundant authentication servers and multifactor authentication (MFA).

1 rule found Severity: High

Logo

The Enterprise Voice, Video, and Messaging Session Manager must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: High

Logo

The Enterprise Voice, Video, and Messaging Session Manager must be configured to use an organizational-level user account management system.

1 rule found Severity: High

Logo

The F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins.

1 rule found Severity: High

Logo

The HPE 3PAR OS must be configured for centralized account management functions via LDAP.

1 rule found Severity: Medium

Logo

The HPE 3PAR OS must provide automated mechanisms for supporting account management functions via AD.

1 rule found Severity: Medium

Logo

All accounts on AIX system must have unique account names.

1 rule found Severity: High

Logo

All accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users).

1 rule found Severity: High

Logo

The AIX SYSTEM attribute must not be set to NONE for any account.

1 rule found Severity: High

Logo

DCAF Console access must require a password to be entered by each user.

1 rule found Severity: Medium

Logo

The WebSphere Liberty Server must use an LDAP user registry.

1 rule found Severity: Medium

Logo

Basic Authentication must be disabled.

1 rule found Severity: Medium

Logo

ISEC7 SPHERE must disable or delete local account created during application installation and configuration.

1 rule found Severity: High

Logo

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

1 rule found Severity: High

Logo

The ICS must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

1 rule found Severity: High

Logo

All Jamf Pro EMM server local accounts created during application installation and configuration must be disabled.

1 rule found Severity: Medium

Logo

The JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.

1 rule found Severity: Medium

Logo

MarkLogic Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

MKE must not permit users to create pods that share host process namespace.

1 rule found Severity: Medium

Logo

Azure SQL Database must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The built-in administrator account must be disabled.

2 rules found Severity: Medium

Logo

Shared user accounts must not be permitted on the system.

1 rule found Severity: Medium

Logo

Outdated or unused accounts must be removed from the system or disabled.

1 rule found Severity: Medium

Logo

Windows Server 2016 accounts must require passwords.

1 rule found Severity: Medium

Logo

ONTAP must be configured to use an authentication server to provide multifactor authentication.

1 rule found Severity: High

Logo

The network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

1 rule found Severity: High

Logo

The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must be configured so that all Group Identifiers (GIDs) referenced in the /etc/passwd file are defined in the /etc/group file.

1 rule found Severity: Low

Logo

The MySQL Database Server 8.0 must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.

1 rule found Severity: High

Logo

Redis Enterprise DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

Automation Controller must be configured to use an enterprise user management system.

1 rule found Severity: Medium

Logo

SLEM 5 must not have duplicate User IDs (UIDs) for interactive users.

1 rule found Severity: Medium

Logo

Splunk Enterprise must use organization level authentication to uniquely identify and authenticate users.

1 rule found Severity: High

Logo

Splunk Enterprise must have all local user accounts removed after implementing organizational level user management system, except for one emergency account of last resort.

1 rule found Severity: High

Logo

Splunk Enterprise must use organization-level authentication to uniquely identify and authenticate users.

1 rule found Severity: High

Logo

Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

2 rules found Severity: Medium

Logo

TOSS duplicate User IDs (UIDs) must not exist for interactive users.

1 rule found Severity: Medium

Logo

Security identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.

1 rule found Severity: Medium

Logo

Configure opensc Smart Card Drivers

11 rules found Severity: Medium

Logo

NixOS must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

AAA Services must be configured to uniquely identify and authenticate organizational users.

1 rule found Severity: High

Logo

Apple iOS/iPadOS 18 must implement the management setting: use SSL for Exchange ActiveSync.

1 rule found Severity: Medium

Logo

Apple iOS/iPadOS 18 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 18 Mail app.

1 rule found Severity: Medium

Logo

The macOS system must disable logon to other user's active and locked sessions.

1 rule found Severity: Medium

Logo

The macOS system must disable root logon.

1 rule found Severity: Medium

Logo

The macOS system must disable login to other users' active and locked sessions.

1 rule found Severity: Medium

Logo

The macOS system must disable root login.

1 rule found Severity: Medium

Logo

The macOS system must disable unattended or automatic login to the system.

1 rule found Severity: High

Logo

The macOS system must configure login window to prompt for username and password.

1 rule found Severity: Medium

Logo

The ALG providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The ALG providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.

1 rule found Severity: Medium

Logo

The ALG providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).

1 rule found Severity: Medium

Logo

The macOS system must configure the login window to prompt for username and password.

1 rule found Severity: Medium

Logo

The application server must use an approved DOD enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: High

Logo

Ubuntu 22.04 LTS must uniquely identify interactive users.

1 rule found Severity: Medium

Logo

The Central Log Server must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: High

Logo

The cloud service offering (CSO) must be configured to use DOD public key infrastructure (PKI) to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The container platform must uniquely identify and authenticate users.

1 rule found Severity: Medium

Logo

The container platform application program interface (API) must uniquely identify and authenticate users.

1 rule found Severity: Medium

Logo

The container platform must uniquely identify and authenticate processes acting on behalf of the users.

1 rule found Severity: Medium

Logo

The container platform application program interface (API) must uniquely identify and authenticate processes acting on behalf of the users.

1 rule found Severity: Medium

Logo

Groups must have unique Group IDs (GIDs).

1 rule found Severity: Medium

Logo

Duplicate User IDs (UIDs) must not exist for interactive users.

1 rule found Severity: Medium

Logo

All AlmaLinux OS 9 interactive users must have a primary group that exists.

1 rule found Severity: Medium

Logo

The Dell OS10 Switch, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

1 rule found Severity: High

Logo

The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

AOS must be configured to use DOD public key infrastructure (PKI) as multifactor authentication (MFA) for interactive logins.

1 rule found Severity: High

Logo

The HYCU virtual appliance must be configured to use DOD-approved online certificate status protocol (OCSP) responders or certificate revocation lists (CRLs) to validate certificates used for PKI-based authentication.

1 rule found Severity: High

Logo

The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

2 rules found Severity: Medium

Logo

IBM z/OS Certificate Name Filtering must be implemented with appropriate authorization and documentation.

1 rule found Severity: Medium

Logo

Started tasks for IBM Security zSecure products must be properly defined.

1 rule found Severity: Medium

Logo

Certificate Name Filtering must be implemented with appropriate authorization and documentation.

1 rule found Severity: Medium

Logo

IBM z/OS Started Tasks must be properly identified and defined to ACF2.

1 rule found Severity: Medium

Logo

IBM z/OS UID(0) must be properly assigned.

3 rules found Severity: High

Logo

IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.

1 rule found Severity: Medium

Logo

IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.

1 rule found Severity: Medium

Logo

ACF2 LOGONIDs must be defined with the required fields completed.

1 rule found Severity: Medium

Logo

CA-ACF2 defined user accounts must uniquely identify system users.

1 rule found Severity: Medium

Logo

IBM z/OS FTP Server daemon must be defined with proper security parameters.

1 rule found Severity: Medium

Logo

IBM z/OS Syslog daemon must be started at z/OS initialization.

1 rule found Severity: Medium

Logo

IBM z/OS Syslog daemon must be properly defined and secured.

1 rule found Severity: Medium

Logo

IBM RACF users must have the required default fields.

1 rule found Severity: Medium

Logo

IBM interactive USERIDs defined to RACF must have the required fields completed.

1 rule found Severity: Medium

Logo

IBM z/OS Started Tasks must be properly identified and defined to RACF.

1 rule found Severity: Medium

Logo

The IBM RACF Automatic Data Set Protection (ADSP) SETROPTS value must be set to NOADSP.

1 rule found Severity: Medium

Logo

IBM RACF user accounts must uniquely identify system users.

1 rule found Severity: Medium

Logo

IBM z/OS Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.

1 rule found Severity: Medium

Logo

IBM z/OS user account for the z/OS UNIX SUPERSUSER userid must be properly defined.

1 rule found Severity: Medium

Logo

IBM z/OS UNIX user accounts must be properly defined.

3 rules found Severity: Medium

Logo

IBM z/OS UNIX groups must be defined with a unique GID.

2 rules found Severity: Medium

Logo

IBM z/OS Attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.

1 rule found Severity: Medium

Logo

IBM z/OS Attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.

1 rule found Severity: Medium

Logo

IBM Integrated Crypto Service Facility (ICSF) Started Task name must be properly identified / defined to the system ACP.

1 rule found Severity: Medium

Logo

The IBM z/OS FTP server daemon must be defined with proper security parameters.

2 rules found Severity: Medium

Logo

The IBM z/OS Syslog daemon must be started at z/OS initialization.

1 rule found Severity: Medium

Logo

The IBM z/OS Syslog daemon must be properly defined and secured.

2 rules found Severity: Medium

Logo

The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.

2 rules found Severity: Medium

Logo

The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined.

2 rules found Severity: Medium

Logo

The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.

2 rules found Severity: Medium

Logo

IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.

2 rules found Severity: Medium

Logo

IBM Integrated Crypto Service Facility (ICSF) Started Task name is not properly identified / defined to the system ACP.

2 rules found Severity: Medium

Logo

IBM Integrated Crypto Service Facility (ICSF) Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

IBM z/OS must have Certificate Name Filtering implemented with appropriate authorization and documentation.

1 rule found Severity: Medium

Logo

The CA-TSS CPFRCVUND Control Option value specified must be set to NO.

1 rule found Severity: Medium

Logo

The CA-TSS CPFTARGET Control Option value specified must be set to LOCAL.

1 rule found Severity: Medium

Logo

CA-TSS User ACIDs and Control ACIDs must have the NAME field completed.

1 rule found Severity: Low

Logo

The CA-TSS PASSWORD(NOPW) option must not be specified for any ACID type.

1 rule found Severity: High

Logo

Interactive ACIDs defined to CA-TSS must have the required fields completed.

1 rule found Severity: Low

Logo

CA-TSS Batch ACID(s) submitted through RJE and NJE must be sourced.

1 rule found Severity: Medium

Logo

IBM z/OS DASD management ACIDs must be properly defined to CA-TSS.

1 rule found Severity: Medium

Logo

The IBM z/OS Syslog daemon must not be started at z/OS initialization.

1 rule found Severity: Medium

Logo

IBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements.

1 rule found Severity: Medium

Logo

IBM z/OS attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.

1 rule found Severity: Medium

Logo

IBM Integrated Crypto Service Facility (ICSF) Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

The Mainframe Product must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

MariaDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

Windows Server 2019 shared user accounts must not be permitted.

1 rule found Severity: Medium

Logo

Windows Server 2019 accounts must require passwords.

1 rule found Severity: Medium

Logo

Windows Server 2022 shared user accounts must not be permitted.

1 rule found Severity: Medium

Logo

Windows Server 2022 accounts must require passwords.

1 rule found Severity: Medium

Logo

The DBMS must ensure users are authenticated with an individual authenticator prior to using a shared authenticator.

1 rule found Severity: Medium

Logo

All Prisma Cloud Compute users must have a unique, individual account.

1 rule found Severity: Medium

Logo

Prisma Cloud Compute Console must run as nonroot user (uid 2674).

1 rule found Severity: Medium

Logo

OL 8 duplicate User IDs (UIDs) must not exist for interactive users.

1 rule found Severity: Medium

Logo

OpenShift RBAC access controls must be enforced.

1 rule found Severity: High

Logo

OpenShift must disable root and terminate network connections.

1 rule found Severity: High

Logo

The Palo Alto Networks security platform must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).

1 rule found Severity: Medium

Logo

The Palo Alto Networks security platform must not use the default admin account password.

1 rule found Severity: High

Logo

RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users.

1 rule found Severity: Medium

Logo

RHEL 9 duplicate User IDs (UIDs) must not exist for interactive users.

1 rule found Severity: Medium

Logo

All RHEL 9 interactive users must have a primary group that exists.

1 rule found Severity: Medium

Logo

RHEL 9 groups must have unique Group ID (GID).

1 rule found Severity: Medium

Logo

RHEL 9 must use the common access card (CAC) smart card driver.

1 rule found Severity: Medium

Logo

The SUSE operating system must not have duplicate User IDs (UIDs) for interactive users.

2 rules found Severity: Medium

Logo

Duplicate User IDs (UIDs) must not exist for users within the organization.

2 rules found Severity: Medium

Logo

The UEM server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The VMM must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

The ESXi host must use Active Directory for local user authentication.

1 rule found Severity: Low

Logo

ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.

1 rule found Severity: Medium

Logo

Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.

1 rule found Severity: Medium

Logo

The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.

2 rules found Severity: Low

Logo

The Photon operating system must not have duplicate User IDs (UIDs).

3 rules found Severity: Medium

Logo

The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.

3 rules found Severity: Medium

Logo

VMware Postgres must require authentication on all connections.

1 rule found Severity: Low

Logo

The vCenter PostgreSQL service must require authentication on all connections.

2 rules found Severity: Medium

Logo

BMC CONTROL-D Started Task name is not properly identified / defined to the system ACP.

3 rules found Severity: Medium

Logo

BMC CONTROL-M Started Task name is not properly identified / defined to the system ACP.

3 rules found Severity: Medium

Logo

BMC CONTROL-O Started Task name is not properly identified / defined to the system ACP.

3 rules found Severity: Medium

Logo

BMC IOA Started Task name must be properly identified and defined to the system ACP.

3 rules found Severity: Medium

Logo

BMC Mainview for z/OS Started Task name must be properly identified and/or defined to the system ACP.

1 rule found Severity: Medium

Logo

CA 1 Tape Management Started Task name will be properly identified and/or defined to the system ACP.

3 rules found Severity: Medium

Logo

CA Common Services Started Task name will be properly identified and/or defined to the system ACP.

3 rules found Severity: Medium

Logo

CA MIM Resource Sharing Started Task name will be properly identified and/or defined to the system ACP.

3 rules found Severity: Medium

Logo

CA VTAPE Started Task name is not properly identified/defined to the system ACP.

3 rules found Severity: Medium

Logo

CL/SuperSession Started Task name is not properly identified / defined to the system ACP.

3 rules found Severity: Medium

Logo

Compuware Abend-AID Started Task name will be properly identified and/or defined to the system ACP.

3 rules found Severity: Medium

Logo

IBM CSSMTP Started Task name is not properly identified and/or defined to the system ACP.

3 rules found Severity: Medium

Logo

CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.

2 rules found Severity: Medium

Logo

CICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.

3 rules found Severity: Medium

Logo

IBM Health Checker Started Task name will be properly identified and/or defined to the system ACP.

3 rules found Severity: Medium

Logo

BMC CONTROL-D Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

BMC CONTROL-M Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

ROSCOE Started Task name is not properly identified / defined to the system ACP.

3 rules found Severity: Medium

Logo

Tivoli Asset Discovery for z/OS (TADz) Started Task name(s) must be properly identified / defined to the system ACP.

3 rules found Severity: Medium

Logo

BMC Mainview for z/OS Started Task name is not properly identified and/or defined to the system ACP.

2 rules found Severity: Medium

Logo

BMC Mainview for z/OS Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.

1 rule found Severity: High

Logo

WebSphere MQ started tasks are not defined in accordance with the proper security requirements.

3 rules found Severity: Medium

Logo

WebSphere MQ dead letter and alias dead letter queues are not properly defined.

3 rules found Severity: Medium

Logo

BMC CONTROL-D Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

BMC CONTROL-D is not properly defined to the Facility Matrix Table for Top Secret.

1 rule found Severity: Medium

Logo

IBM System Display and Search Facility (SDSF) Started Task name will be properly identified and/or defined to the system ACP.

3 rules found Severity: Medium

Logo

NetView Started Task name must be properly identified / defined to the system ACP.

1 rule found Severity: Medium

Logo

Quest NC-Pass Started Task name will be properly identified and/or defined to the system ACP.

3 rules found Severity: Medium

Logo

BMC CONTROL-O Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

BMC IOA Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

CA 1 Tape Management Started task will be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

CA Common Services Started task will be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

CA MIM Resource Sharing Started task will be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

CA VTAPE Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

BMC CONTROL-M Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

BMC CONTROL-M is not properly defined to the Facility Matrix Table for Top Secret.

1 rule found Severity: Medium

Logo

BMC CONTROL-O Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

BMC CONTROL-O is not properly defined to the Facility Matrix Table for Top Secret.

1 rule found Severity: Medium

Logo

Compuware Abend-AID Started task will be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

IBM CSSMTP Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

CL/SuperSession Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

BMC IOA Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

BMC IOA is not properly defined to the Facility Matrix Table for Top Secret.

1 rule found Severity: Medium

Logo

BMC Mainview for z/OS Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

BMC Mainview for z/OS is not properly defined to the Facility Matrix Table for Top Secret.

1 rule found Severity: Medium

Logo

CA Common Services Started task will be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

IBM Health Checker Started task will be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

CA MIM Resource Sharing Started task will be properly defined to the Started Task Table for Top Secret.

1 rule found Severity: Medium

Logo

NetView Started Task name(s) is not properly identified / defined to the system ACP.

1 rule found Severity: Medium

Logo

IBM Tivoli NetView Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

CL/SuperSession Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

CL/SuperSession is not properly defined to the Facility Matrix Table for Top Secret.

1 rule found Severity: Medium

Logo

Compuware Abend-AID Started task will be properly defined to the Started Task Table for Top Secret.

1 rule found Severity: Medium

Logo

IBM Tivoli Asset Discovery for zOS (TADz) Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

IBM Health Checker Started task will be properly defined to the Started Task Table for Top Secret.

1 rule found Severity: Medium

Logo

CA 1 Tape Management Started task will be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

CA 1 Tape Management will be properly defined to the Facility Matrix Table.

1 rule found Severity: Medium

Logo

CICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.

1 rule found Severity: Medium

Logo

IBM System Display and Search Facility (SDSF) Started task will be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

CA VTAPE Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

Quest NC-Pass Started task will be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

ROSCOE Started task(s) must be properly defined to the STARTED resource class for RACF.

1 rule found Severity: Medium

Logo

IBM CSSMTP Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

IBM System Display and Search Facility (SDSF) Started task will be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

NetView Started Task name(s) is not properly identified / defined to the system ACP.

1 rule found Severity: Medium

Logo

IBM Tivoli NetView Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

NetView is not properly defined to the Facility Matrix Table for Top Secret.

1 rule found Severity: Medium

Logo

ROSCOE Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

ROSCOE is not properly defined to the Facility Matrix Table for Top Secret.

1 rule found Severity: Medium

Logo

Quest NC-Pass Started task will be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

Quest NC-Pass will be properly defined to the Facility Matrix Table.

1 rule found Severity: Medium

Logo

IBM Tivoli Asset Discovery for zOS (TADz) Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.

1 rule found Severity: Medium

Logo

Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

1 rule found Severity: High

Logo