Capacity
CCI-001184
Protect the authenticity of communications sessions.
2
Rule
Severity: Medium
The ALG must protect the authenticity of communications sessions.
2
Rule
Severity: Medium
The application server must be configured to mutually authenticate connecting proxies, application servers or gateways.
2
Rule
Severity: Medium
The application must set the HTTPOnly flag on session cookies.
2
Rule
Severity: Medium
The application must set the secure flag on session cookies.
2
Rule
Severity: High
The application must not expose session IDs.
2
Rule
Severity: High
A BIND 9.x server implementation must maintain the integrity and confidentiality of DNS information while it is being prepared for transmission, in transmission, and in use and t must perform integrity verification and data origin verification for all DNS information.
1
Rule
Severity: Medium
The CA API Gateway must protect the authenticity of communications sessions.
1
Rule
Severity: Medium
Citrix License Server must protect the authenticity of communications sessions.
1
Rule
Severity: Medium
XenDesktop License Server must protect the authenticity of communications sessions.
1
Rule
Severity: High
Citrix Linux Virtual Delivery Agent must implement DoD-approved encryption.
1
Rule
Severity: High
Citrix Receiver must implement DoD-approved encryption.
2
Rule
Severity: High
Citrix Windows Virtual Delivery Agent must implement DoD-approved encryption.
1
Rule
Severity: Medium
TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
2
Rule
Severity: Medium
The DNS implementation must protect the authenticity of communications sessions for zone transfers.
2
Rule
Severity: Medium
The DNS implementation must protect the authenticity of communications sessions for dynamic updates.
2
Rule
Severity: Medium
The DNS implementation must protect the authenticity of communications sessions for queries.
1
Rule
Severity: Medium
Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers when communicating with external DNS servers.
1
Rule
Severity: Medium
Infoblox DNS servers must protect the authenticity of communications sessions for dynamic updates.
1
Rule
Severity: Medium
Infoblox DNS servers must protect the authenticity of communications sessions for queries.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Endpoint must be configured to protect the authenticity of communications sessions.
1
Rule
Severity: Medium
The IBM Aspera High-Speed Transfer Server must be configured to protect the authenticity of communications sessions.
1
Rule
Severity: Medium
The DataPower Gateway must protect the authenticity of communications sessions.
1
Rule
Severity: Medium
The MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session.
1
Rule
Severity: Medium
The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.
1
Rule
Severity: Medium
The WebSphere Application Server DoD root CAs must be in the trust store.
1
Rule
Severity: Medium
Infoblox DNS servers must protect the authenticity of communications sessions for zone transfers.
1
Rule
Severity: Medium
Infoblox DNS servers must be configured to protect the authenticity of communications sessions for dynamic updates.
1
Rule
Severity: Medium
Infoblox DNS servers must be configured to protect the authenticity of communications sessions for queries.
2
Rule
Severity: High
The Juniper SRX Services Gateway VPN must configure Internet Key Exchange (IKE) with SHA1 or greater to protect the authenticity of communications sessions.
1
Rule
Severity: Medium
Session Initiation Protocol (SIP) security mode must be configured.
1
Rule
Severity: Medium
In the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP.
2
Rule
Severity: Medium
Exchange internal Receive connectors must require encryption.
1
Rule
Severity: Medium
Exchange internal Receive connectors must use Domain Security (mutual authentication Transport Layer Security).
1
Rule
Severity: Medium
Exchange internal Send connectors must require encryption.
2
Rule
Severity: Medium
Exchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication.
1
Rule
Severity: Medium
Session Initiation Protocol (SIP) security mode must be configured.
1
Rule
Severity: Medium
In the event a secure Session Initiation Protocol (SIP) connection fails, the connection must be restricted from resorting to the unencrypted HTTP.
1
Rule
Severity: High
SharePoint must ensure authentication of both client and server during the entire session. An example of this is SSL Mutual Authentication.
1
Rule
Severity: High
SharePoint must implement an information system isolation boundary that minimizes the number of nonsecurity functions included within the boundary containing security functions.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must protect the authenticity of zone transfers via transaction signing.
1
Rule
Severity: High
The Windows 2012 DNS Server must protect the authenticity of dynamic updates via transaction signing.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must protect the authenticity of query responses via DNSSEC.
1
Rule
Severity: Medium
Oracle WebLogic must ensure authentication of both client and server during the entire session.
1
Rule
Severity: Medium
The Riverbed Optimization System (RiOS) must protect the authenticity of communications sessions by configuring securing pairing trusts for SSL and secure protocols.
1
Rule
Severity: High
Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
1
Rule
Severity: High
Symantec ProxySG must use Transport Layer Security (TLS) to protect the authenticity of communications sessions.
1
Rule
Severity: Medium
The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients, which will ensure the authenticity of communications sessions when answering requests from the Tanium Server.
1
Rule
Severity: Medium
The Tanium Server must protect the confidentiality and integrity of transmitted information with cryptographic signing capabilities enabled to ensure the authenticity of communications sessions when making requests from Tanium Clients.
5
Rule
Severity: Medium
The Tanium cryptographic signing capabilities must be enabled on the Tanium Clients to safeguard the authenticity of communications sessions when answering requests from the Tanium Server.
2
Rule
Severity: Medium
The UEM server must protect the authenticity of communications sessions.
2
Rule
Severity: Medium
The VPN Gateway must use FIPS 140-2 compliant mechanisms for authentication to a cryptographic module.
2
Rule
Severity: High
The IPSec VPN must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE).
2
Rule
Severity: Medium
Tomcat servers must mutually authenticate proxy or load balancer connections.
2
Rule
Severity: High
The Cisco ASA must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE) Phase 2.
2
Rule
Severity: High
The container platform must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
2
Rule
Severity: Medium
The Kubernetes API server must use approved cipher suites.
2
Rule
Severity: Medium
Kubernetes API Server must have the SSL Certificate Authority set.
2
Rule
Severity: Medium
Kubernetes Kubelet must have the SSL Certificate Authority set.
2
Rule
Severity: Medium
Kubernetes Controller Manager must have the SSL Certificate Authority set.
2
Rule
Severity: Medium
Kubernetes API Server must have a certificate for communication.
4
Rule
Severity: Medium
Kubernetes etcd must enable client authentication to secure service.
2
Rule
Severity: Medium
Kubernetes Kubelet must enable tlsPrivateKeyFile for client authentication to secure service.
2
Rule
Severity: Medium
Kubernetes Kubelet must enable tlsCertFile for client authentication to secure service.
4
Rule
Severity: Medium
Kubernetes etcd must have a key file for secure communication.
4
Rule
Severity: Medium
Kubernetes etcd must have a certificate for communication.
2
Rule
Severity: Medium
Kubernetes etcd must have the SSL Certificate Authority set.
2
Rule
Severity: Medium
Kubernetes etcd must have peer-cert-file set for secure communication.
2
Rule
Severity: Medium
Kubernetes etcd must have a peer-key-file set for secure communication.
2
Rule
Severity: Medium
Remoting Services HTTP channels must utilize authentication and encryption.
2
Rule
Severity: Medium
Remoting Services TCP channels must utilize authentication and encryption.
1
Rule
Severity: Medium
Exchange internal Send connectors must use domain security (mutual authentication Transport Layer Security).
2
Rule
Severity: Medium
Exchange internal send connectors must use domain security (mutual authentication Transport Layer Security).
2
Rule
Severity: Medium
Exchange internet-facing receive connectors must offer Transport Layer Security (TLS) before using basic authentication.
1
Rule
Severity: Medium
Logon options must be configured to prompt (Internet zone).
1
Rule
Severity: Medium
Logon options must be configured and enforced (Restricted Sites zone).
2
Rule
Severity: High
The application must protect the confidentiality and integrity of transmitted information.
3
Rule
Severity: Medium
The SIP security mode in Lync must be enabled.
3
Rule
Severity: Medium
The HTTP fallback for SIP connection in Lync must be disabled.
2
Rule
Severity: High
OpenShift must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 validated cryptography.
2
Rule
Severity: Medium
The Windows DNS Server must protect the authenticity of zone transfers via transaction signing.
2
Rule
Severity: High
The Windows DNS Server must protect the authenticity of dynamic updates via transaction signing.
2
Rule
Severity: Medium
The Windows DNS Server must protect the authenticity of query responses via DNSSEC.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must not use the On-Demand Cert Auth VPE agent as part of the APM Policy Profiles.
2
Rule
Severity: Low
The F5 BIG-IP appliance must be configured to limit authenticated client sessions to initial session source IP.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to protect the authenticity of communications sessions.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions.
1
Rule
Severity: High
The F5 BIG-IP appliance providing intermediary services for remote access must use FIPS-validated cryptographic algorithms, including TLS 1.2 at a minimum.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must not use the On-demand Cert Auth VPE agent as part of the APM Policy Profiles.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to restrict a consistent inbound IP for the entire management session.
2
Rule
Severity: Medium
The VPN Gateway must use Always On VPN connections for remote computing.
1
Rule
Severity: Medium
An authoritative name server must be configured to enable DNSSEC Resource Records.
1
Rule
Severity: High
The F5 BIG-IP DNS implementation must protect the authenticity of communications sessions for zone transfers.
1
Rule
Severity: High
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use FIPS-validated SHA-2 or higher to protect the authenticity of communications sessions.
1
Rule
Severity: High
The F5 BIG-IP appliance IPsec VPN must be configured to use FIPS-validated SHA-2 or higher for Internet Key Exchange (IKE).
1
Rule
Severity: High
FIPS mode must be enabled.
1
Rule
Severity: High
Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.
1
Rule
Severity: Medium
The router must be configured to implement message authentication for all control plane protocols.
1
Rule
Severity: Medium
The BGP router must be configured to use a unique key for each autonomous system (AS) that it peers with.
1
Rule
Severity: Medium
The router must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
1
Rule
Severity: Medium
The web server must restrict a consistent inbound source IP for the entire management session.
1
Rule
Severity: Info
The web server must restrict a consistent inbound source IP for the entire user session.
1
Rule
Severity: Medium
The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules