CCI-000778

Disable GNOME3 Automounting

Disable GNOME3 Automount Opening

Disable GNOME3 Automount running

Disable the Automounter

Disable Modprobe Loading of USB Storage Driver

Configure Certificate Directives for LDAP Use of TLS

AAA Services used for 802.1x must be configured to uniquely identify network endpoints (supplicants) before the authenticator establishes any connection.

The Arista Multilayer Switch must uniquely identify all network-connected endpoint devices before establishing any connection.

The application must utilize mutual authentication when endpoint device non-repudiation protections are required by DoD policy or by the data owner.

The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit.

The BIND 9.x server implementation must utilize separate TSIG key-pairs when securing server-to-server transactions.

The DNS server implementation must uniquely identify the other DNS server before responding to a server-to-server transaction.

Forescout must deny network connection for endpoints that cannot be authenticated using an approved method. This is required for compliance with C2C Step 4.

When using non-Grid DNS servers for zone transfers, each name server must use TSIG to uniquely identify the other server.

The MQ Appliance messaging server must uniquely identify all network-connected endpoint devices before establishing any connection.

The WebSphere Application Server Single Sign On (SSO) must have SSL enabled for Web and SIP Security.

Infoblox systems which are configured to perform zone transfers to non-Grid name servers must utilize transaction signatures (TSIG).

The JBoss server must be configured to bind the management interfaces to only management networks.

The layer 2 switch must uniquely identify all network-connected endpoint devices before establishing any connection.

The Windows 2012 DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.

Nutanix AOS must be configured to disable USB mass storage devices.

The Tanium endpoint must have the Tanium Servers public key in its installation, which will allow it to authenticate and uniquely identify all network-connected endpoint devices before establishing any connection.

The Tanium endpoint must have the Tanium Server's pki.db in its installation.

The Tanium endpoint must have the Tanium Servers public key in its installation.

The VPN Gateway must uniquely identify all network-connected endpoint devices before establishing a connection.

The Cisco ASA VPN gateway must be configured to identify all peers before establishing a connection.

The Cisco switch must uniquely identify and authenticate all network-connected endpoint devices before establishing any connection.

The Cisco ISE must deny network connection for endpoints that cannot be authenticated using an approved method. This is required for compliance with C2C Step 4.

The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection.

The container platform must uniquely identify all network-connected nodes before establishing any connection.

The operating system must uniquely identify peripherals before establishing a connection.

AIX must configure the ttys value for all interactive users.

The Juniper EX switch must be configured to uniquely identify all network-connected endpoint devices before establishing any connection.

The Oracle Linux operating system must be configured to disable USB mass storage.

The Oracle Linux operating system must disable the file system automounter unless required.

The Oracle Linux operating system must disable the graphical user interface automounter unless required.

The OL 8 file system automounter must be disabled unless required.

OL 8 must be configured to disable the ability to use USB mass storage devices.

The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.

The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.

The RHEL 8 file system automounter must be disabled unless required.

RHEL 8 must be configured to disable USB mass storage.

The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.

RHEL 9 file system automount function must be disabled unless required.

The SUSE operating system must disable the file system automounter unless required.

RHEL 9 must disable the graphical user interface automount function unless required.

RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.

RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.

RHEL 9 must be configured to disable USB mass storage.

The VMM must uniquely identify peripherals before establishing a connection.

The Photon operating system must disable the loading of unnecessary kernel modules.

The Photon operating system must disable unnecessary kernel modules.

The Windows DNS Server must uniquely identify the other DNS server before responding to a server-to-server transaction.

The F5 BIG-IP must be configured to identify and authenticate all endpoint devices or peers before establishing a connection.

An authoritative name server must be configured to enable DNSSEC Resource Records.

The Enterprise Voice, Video, and Messaging Session Manager must be configured to uniquely identify each Voice Video Endpoint device before registration.

IPSec network encryption must be configured.

SLEM 5 must disable the file system automounter unless required.

The TOSS file system automounter must be disabled unless required.

TOSS must be configured to disable USB mass storage.