Skip to content
ATO Pathways
  Log In

CCI-001188

Generate a unique session identifier for each session with organization-defined randomness requirements.

Logo
2

Rule

Severity: Medium
The Apache web server must accept only system-generated session identifiers.
Logo
4

Rule

Severity: Medium
The Apache web server must generate unique session identifiers that cannot be reliably reproduced.
Logo
2

Rule

Severity: Medium
The Apache web server must generate unique session identifiers with definable entropy.
Logo
2

Rule

Severity: Medium
The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.
Logo
2

Rule

Severity: Medium
The ALG must generate unique session identifiers using a FIPS 140-2 approved random number generator.
Logo
2

Rule

Severity: High
The application server must generate a unique session identifier using a FIPS 140-2 approved random number generator.
Logo
2

Rule

Severity: Medium
The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality.
Logo
1

Rule

Severity: Medium
The CA API Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.
Logo
1

Rule

Severity: High
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
Logo
1

Rule

Severity: Medium
The FortiGate device must generate unique session identifiers using a FIPS 140-2-approved random number generator.
Logo
3

Rule

Severity: Medium
The network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
Logo
1

Rule

Severity: Medium
The DataPower Gateway must generate unique session identifiers using a FIPS 140-2 approved random number generator.
Logo
1

Rule

Severity: Medium
DB2 must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
Logo
1

Rule

Severity: Medium
The MQ Appliance messaging server must generate a unique session identifier using a FIPS 140-2 approved random number generator.
Logo
2

Rule

Severity: High
The WebSphere Liberty Server must use FIPS 140-2 approved encryption modules when authenticating users and processes.
Logo
1

Rule

Severity: Medium
The WebSphere Application Server must utilize FIPS 140-2-approved encryption modules when authenticating users and processes.
Logo
1

Rule

Severity: Medium
The MQ Appliance network device must generate unique session identifiers using a FIPS 140-2 approved random number generator.
Logo
1

Rule

Severity: Medium
MobileIron Sentry must generate unique session identifiers using a FIPS 140-2 approved random number generator.
Logo
1

Rule

Severity: High
All SCOM servers must be configured for FIPS 140-2 compliance.
Logo
2

Rule

Severity: High
The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.
Logo
1

Rule

Severity: Medium
Riverbed Optimization System (RiOS) must generate unique session identifiers using a FIPS 140-2 approved random number generator.
Logo
2

Rule

Severity: High
The UEM server must generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
Logo
2

Rule

Severity: Medium
The VPN Gateway must generate unique session identifiers using FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
Logo
2

Rule

Severity: Medium
The Apache web server must use cryptography to protect the integrity of remote sessions.
Logo
2

Rule

Severity: Medium
The Apache web server must generate a session ID long enough that it cannot be guessed through brute force.
Logo
2

Rule

Severity: High
The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.
Logo
2

Rule

Severity: High
Tomcat must use FIPS-validated ciphers on secured connectors.
Logo
4

Rule

Severity: Medium
PostgreSQL must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
Logo
2

Rule

Severity: Medium
The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm.
Logo
2

Rule

Severity: Medium
The Cisco ISE must generate unique session identifiers using a FIPS 140-2 approved Random Number Generator (RNG) using DRGB.
Logo
2

Rule

Severity: Medium
The DBMS must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
Logo
2

Rule

Severity: Medium
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
Logo
2

Rule

Severity: Medium
MarkLogic Server must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
Logo
2

Rule

Severity: Medium
MariaDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
Logo
3

Rule

Severity: Medium
MongoDB must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
Logo
2

Rule

Severity: Medium
A private IIS 10.0 website authentication mechanism must use client certificates to transmit session identifier to assure integrity.
Logo
2

Rule

Severity: Medium
The IIS 10.0 website must generate unique session identifiers that cannot be reliably reproduced.
Logo
2

Rule

Severity: Medium
SQL Server must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
Logo
2

Rule

Severity: Medium
The MySQL Database Server 8.0 must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
Logo
2

Rule

Severity: High
Automation Controller must implement cryptography mechanisms to protect the integrity of information.
Logo
2

Rule

Severity: Medium
Redis Enterprise DBMS must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
Logo
4

Rule

Severity: High
The vCenter Server must enable FIPS-validated cryptography.
Logo
2

Rule

Severity: Medium
The vCenter PostgreSQL service must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
Logo
2

Rule

Severity: High
The web server must generate a unique session identifier for each session using a FIPS 140-2 approved random number generator.
Logo
2

Rule

Severity: Medium
The web server must generate unique session identifiers that cannot be reliably reproduced.
Logo
2

Rule

Severity: Medium
The web server must generate a session ID long enough that it cannot be guessed through brute force.
Logo
2

Rule

Severity: Medium
The web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.
Logo
2

Rule

Severity: Medium
The web server must generate unique session identifiers with definable entropy.
Logo
1

Rule

Severity: Medium
Sentry must generate unique session identifiers using a FIPS 140-2 approved random number generator.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules