Capacity
CCI-001094
Restrict the ability of individuals to launch organization-defined denial of service attacks against other systems.
2
Rule
Severity: Medium
The Apache web server must restrict the ability of users to launch denial-of-service (DoS) attacks against other information systems or networks.
6
Rule
Severity: Medium
The Apache web server must be tuned to handle the operational requirements of the hosted application.
1
Rule
Severity: Medium
The Arista Multilayer Switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.
2
Rule
Severity: Medium
The ALG providing content filtering must block outbound traffic containing known and unknown DoS attacks to protect against the use of internal information systems to launch any Denial of Service (DoS) attacks against other networks or endpoints.
2
Rule
Severity: High
The Arista perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
2
Rule
Severity: Medium
The application must restrict the ability to launch Denial of Service (DoS) attacks against itself or other information systems.
2
Rule
Severity: Medium
A BIND 9.x server implementation must prohibit recursion on authoritative name servers.
2
Rule
Severity: Medium
A BIND 9.x implementation configured as a caching name server must restrict recursive queries to only the IP addresses and IP address ranges of known supported clients.
1
Rule
Severity: Medium
The CA API Gateway providing content filtering must block outbound traffic containing known and unknown Denial of Service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
2
Rule
Severity: Medium
The DNS server implementation must restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems.
2
Rule
Severity: Medium
The firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: Medium
The FortiGate firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: Medium
The HP FlexFabric Switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding.
1
Rule
Severity: Medium
The Infoblox system must restrict the ability of individuals to use the DNS server to launch denial-of-Service (DoS) attacks against other information systems.
1
Rule
Severity: Medium
The DataPower Gateway providing content filtering must not have a front side handler configured facing an internal network.
1
Rule
Severity: Medium
The Infoblox system must be configured to restrict the ability of individuals to use the DNS server to launch Denial of Service (DoS) attacks against other information systems.
4
Rule
Severity: High
The Juniper perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
1
Rule
Severity: Medium
The Juniper SRX Services Gateway Firewall must block outbound traffic containing known and unknown DoS attacks to protect against the use of internal information systems to launch any Denial of Service (DoS) attacks against other networks or endpoints.
4
Rule
Severity: Medium
The Juniper PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.
2
Rule
Severity: Low
Exchange Mail quota settings must not restrict receiving mail.
2
Rule
Severity: Low
Exchange Mail Quota settings must not restrict receiving mail.
1
Rule
Severity: Low
The Exchange Mail Store storage quota must issue a warning.
2
Rule
Severity: Low
Exchange Mailbox Stores must mount at startup.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must restrict individuals from using it for launching Denial of Service (DoS) attacks against other information systems.
1
Rule
Severity: Medium
OHS must have the Timeout directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
1
Rule
Severity: Medium
OHS must have the KeepAlive directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
1
Rule
Severity: Medium
OHS must have the KeepAliveTimeout properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
1
Rule
Severity: Medium
OHS must have the MaxKeepAliveRequests directive properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
1
Rule
Severity: Medium
OHS must have the ListenBacklog properly set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
1
Rule
Severity: Medium
OHS must have the LimitRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
1
Rule
Severity: Medium
OHS must have the LimitRequestFields directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
1
Rule
Severity: Medium
OHS must have the LimitRequestFieldSize directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
1
Rule
Severity: Medium
OHS must have the LimitRequestLine directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
1
Rule
Severity: Medium
OHS must have the LimitXMLRequestBody directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
1
Rule
Severity: Medium
OHS must have the LimitInternalRecursion directive set to restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
2
Rule
Severity: Medium
Prisma Cloud Compute must prevent unauthorized and unintended information transfer.
2
Rule
Severity: Medium
The PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.
1
Rule
Severity: High
The perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
1
Rule
Severity: Medium
Symantec ProxySG must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: Medium
Tanium must restrict the ability of individuals to place too much impact upon the network, which might result in a denial-of-service (DoS) event on the network by using RandomSensorDelayInSeconds.
2
Rule
Severity: Medium
The Tanium application must restrict the ability of individuals to use information systems to launch organization-defined denial-of-service (DoS) attacks against other information systems.
1
Rule
Severity: Medium
The Tanium application must restrict the ability of individuals to place too much impact upon the network, which might result in a Denial of Service (DoS) event on the network by using RandomSensorDelayInSeconds.
2
Rule
Severity: Medium
The Tanium application must restrict the ability of individuals to use information systems to launch organization-defined Denial of Service (DoS) attacks against other information systems.
1
Rule
Severity: Medium
The NSX-T Distributed Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: Medium
The NSX-T Tier-1 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway Firewall must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: High
Unicast Reverse Path Forwarding (uRPF) must be enabled on the NSX-T Tier-0 Gateway.
6
Rule
Severity: High
The Cisco perimeter router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
6
Rule
Severity: High
The Cisco perimeter switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF).
4
Rule
Severity: Medium
The Cisco PE router must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.
4
Rule
Severity: Medium
The Cisco PE switch must be configured to limit the number of MAC addresses it can learn for each Virtual Private LAN Services (VPLS) bridge domain.
2
Rule
Severity: Medium
The container platform must restrict individuals' ability to launch organizationally defined denial-of-service (DoS) attacks against other information systems.
2
Rule
Severity: Low
Exchange mailbox stores must mount at startup.
2
Rule
Severity: Low
Exchange mail quota settings must not restrict receiving mail.
2
Rule
Severity: Low
Exchange mail quota settings must not restrict sending mail.
2
Rule
Severity: Medium
More than one Edge server must be deployed.
2
Rule
Severity: Medium
The IIS 10.0 website must be configured to limit the maxURL.
2
Rule
Severity: Medium
The IIS 10.0 website must be configured to limit the size of web requests.
2
Rule
Severity: Medium
The IIS 10.0 websites Maximum Query String limit must be configured.
2
Rule
Severity: Medium
Non-ASCII characters in URLs must be prohibited by any IIS 10.0 website.
2
Rule
Severity: Medium
Double encoded URL requests must be prohibited by any IIS 10.0 website.
2
Rule
Severity: Medium
Unlisted file extensions in URL requests must be filtered by any IIS 10.0 website.
1
Rule
Severity: Medium
Windows Defender Firewall with Advanced Security must allow outbound connections, unless a rule explicitly blocks the connection when connected to a domain.
1
Rule
Severity: Medium
Windows Defender Firewall with Advanced Security must allow outbound connections, unless a rule explicitly blocks the connection when connected to a private network.
1
Rule
Severity: Medium
Windows Defender Firewall with Advanced Security must allow outbound connections, unless a rule explicitly blocks the connection when connected to a public network.
1
Rule
Severity: Medium
The Palo Alto Networks security platform must protect against the use of internal systems for launching Denial of Service (DoS) attacks against external networks or endpoints.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must block phone home traffic.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must deny outbound IP packets that contain an illegitimate address in the source address field.
2
Rule
Severity: Medium
OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by setting a default Resource Quota.
2
Rule
Severity: Medium
OpenShift must restrict individuals the ability to launch organizational-defined Denial-of-Service (DOS) attacks against other information systems by rate-limiting.
2
Rule
Severity: Medium
OpenShift must protect against or limit the effects of all types of Denial-of-Service (DoS) attacks by defining resource quotas on a namespace.
1
Rule
Severity: Medium
VAMI must protect against or limit the effects of HTTP types of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
Performance Charts must limit the number of allowed connections.
1
Rule
Severity: Medium
ESX Agent Manager must limit the number of allowed connections.
1
Rule
Severity: Medium
Lookup Service must limit the number of allowed connections.
1
Rule
Severity: Medium
The Security Token Service must limit the number of allowed connections.
1
Rule
Severity: Medium
vSphere UI must limit the number of allowed connections.
2
Rule
Severity: Medium
The vCenter VAMI service must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
2
Rule
Severity: Medium
The web server must restrict the ability of users to launch Denial of Service (DoS) attacks against other information systems or networks.
2
Rule
Severity: Medium
The Windows DNS Server must restrict individuals from using it for launching denial-of-service (DoS) attacks against other information systems.
1
Rule
Severity: High
Dragos Platforms must limit privileges and not allow the ability to run shell.
1
Rule
Severity: Medium
The F5 BIG-IP appliance providing content filtering must employ rate-based attack prevention behavior analysis.
1
Rule
Severity: Medium
The F5 BIG-IP DNS server implementation must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: High
The F5 BIG-IP appliance must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
1
Rule
Severity: Medium
The Juniper SRX Services Gateway Firewall must block outbound traffic containing known and unknown denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
1
Rule
Severity: High
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
1
Rule
Severity: Medium
The Palo Alto Networks security platform must protect against the use of internal systems for launching denial-of-service (DoS) attacks against external networks or endpoints.
1
Rule
Severity: Medium
The NSX Distributed Firewall must limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: High
The NSX Tier-0 Gateway Firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: High
The NSX Tier-0 Gateway router must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field by enabling Unicast Reverse Path Forwarding (uRPF).
1
Rule
Severity: High
The NSX Tier-1 Gateway firewall must manage excess bandwidth to limit the effects of packet flooding types of denial-of-service (DoS) attacks.
1
Rule
Severity: Medium
The vCenter VAMI service must restrict the ability of users to launch denial-of-service (DoS) attacks against other information systems or networks.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules