Capacity
CCI-001368
Enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
1
Rule
Severity: Medium
The A10 Networks ADC must restrict management connections to the management network.
2
Rule
Severity: Medium
The ALG must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
2
Rule
Severity: Medium
The Arista BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.
2
Rule
Severity: Medium
The Arista BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
2
Rule
Severity: Medium
The Arista BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.
2
Rule
Severity: Medium
The Arista BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
2
Rule
Severity: Low
The Arista Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
2
Rule
Severity: Low
The Arista Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
2
Rule
Severity: Low
The Arista MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis.
2
Rule
Severity: Medium
The Arista network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
2
Rule
Severity: Medium
The application must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
1
Rule
Severity: Medium
The CA API Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
1
Rule
Severity: Medium
The FortiGate device must allow full access to only those individuals or roles designated by the ISSM.
1
Rule
Severity: Medium
The HP FlexFabric Switch must enforce approved authorizations for controlling the flow of management information within the HP FlexFabric Switch based on information flow control policies.
1
Rule
Severity: Medium
The HYCU virtual machine must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
1
Rule
Severity: Medium
The DataPower Gateway must enforce approved authorizations for controlling the flow of management information within DataPower based on information flow control policies.
1
Rule
Severity: Medium
The DataPower Gateway must not use 0.0.0.0 as the management IP address.
1
Rule
Severity: Medium
The DataPower Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1
Rule
Severity: Low
MobileIron Sentry must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
2
Rule
Severity: Medium
The Sentry must enforce approved authorizations for controlling the flow of information within the network based on attribute-based inspection of the source, destination, and headers, of the communications traffic.
2
Rule
Severity: Medium
The Juniper router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.
4
Rule
Severity: Medium
The Juniper router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
2
Rule
Severity: Medium
The Juniper Networks SRX Series Gateway IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments.
4
Rule
Severity: Medium
The Juniper BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.
4
Rule
Severity: Medium
The Juniper BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
2
Rule
Severity: Medium
The Juniper BGP router must be configured to reject inbound route advertisements from a customer edge (CE) Juniper router for prefixes that are not allocated to that customer.
4
Rule
Severity: Medium
The Juniper BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
2
Rule
Severity: Low
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
2
Rule
Severity: Low
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
2
Rule
Severity: Low
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on per-peer basis.
2
Rule
Severity: Medium
The Mainframe Product must enforce approved authorizations for controlling the flow of information within the system based on site security plan information flow control policies.
4
Rule
Severity: Medium
Exchange must have accepted domains configured.
2
Rule
Severity: Medium
Exchange external Receive connectors must be domain secure-enabled.
4
Rule
Severity: Medium
Exchange auto-forwarding email to remote domains must be disabled or restricted.
2
Rule
Severity: Medium
The network device must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
2
Rule
Severity: Medium
Prisma Cloud Compute Collections must be used to partition views and enforce organizational-defined need-to-know access.
2
Rule
Severity: Medium
The BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.
2
Rule
Severity: Medium
The BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
2
Rule
Severity: Medium
The BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.
2
Rule
Severity: Medium
The BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
2
Rule
Severity: Low
The Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
2
Rule
Severity: Low
The Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
2
Rule
Severity: Low
The MSDP router must be configured to limit the amount of source-active messages it accepts on per-peer basis.
2
Rule
Severity: Medium
The SDN controller must be configured to enforce approved authorizations for controlling the flow of traffic within the network based on organization-defined information flow control policies.
1
Rule
Severity: Medium
Innoslate must enforce approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
1
Rule
Severity: Medium
Symantec ProxySG must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1
Rule
Severity: Medium
Symantec ProxySG must be configured to enforce assigned privilege levels for approved administrators when accessing the management console, SSH, and the command line interface (CLI).
2
Rule
Severity: High
The Trend Micro TippingPoint Security Management System (SMS) must be configured to send security IPS policy to the Trend Micro Threat Protection System (TPS).
2
Rule
Severity: High
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
2
Rule
Severity: Medium
The Cisco ASA must be configured to enforce approved authorizations for controlling the flow of management information within the Cisco ASA based on information flow control policies.
4
Rule
Severity: Medium
The Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
6
Rule
Severity: Medium
The Cisco BGP router must be configured to reject inbound route advertisements for any Bogon prefixes.
6
Rule
Severity: Medium
The Cisco BGP router must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
6
Rule
Severity: Medium
The Cisco BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.
6
Rule
Severity: Medium
The Cisco BGP router must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
6
Rule
Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
6
Rule
Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
6
Rule
Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to limit the amount of source-active messages it accepts on a per-peer basis.
6
Rule
Severity: Medium
The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.
6
Rule
Severity: Medium
The Cisco switch must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies.
3
Rule
Severity: Medium
The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
4
Rule
Severity: Medium
The Cisco BGP switch must be configured to reject inbound route advertisements for any Bogon prefixes.
4
Rule
Severity: Medium
The Cisco BGP switch must be configured to reject inbound route advertisements for any prefixes belonging to the local autonomous system (AS).
4
Rule
Severity: Medium
The Cisco BGP switch must be configured to reject inbound route advertisements from a customer edge (CE) switch for prefixes that are not allocated to that customer.
4
Rule
Severity: Medium
The Cisco BGP switch must be configured to reject outbound route advertisements for any prefixes that do not belong to any customers or the local autonomous system (AS).
4
Rule
Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter received source-active multicast advertisements for any undesirable multicast groups and sources.
4
Rule
Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
4
Rule
Severity: Low
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to limit the amount of source-active messages it accepts on a per-peer basis.
2
Rule
Severity: Medium
The container platform must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
2
Rule
Severity: Medium
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
2
Rule
Severity: Medium
The Juniper BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer.
2
Rule
Severity: Low
The Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter received source-active multicast advertisements for any undesirable multicast groups and sources.
2
Rule
Severity: Low
The Juniper router configured for Multicast Source Discovery Protocol (MSDP) must filter source-active multicast advertisements to external MSDP peers to avoid global visibility of local-only multicast sources and groups.
2
Rule
Severity: Low
The Juniper router configured for MSDP must limit the amount of source-active messages it accepts on per-peer basis.
2
Rule
Severity: Medium
OpenShift must enforce network policy on the namespace for controlling the flow of information within the container platform based on organization-defined information flow control policies.
2
Rule
Severity: Medium
All interactions among guest VMs must be mediated by the VMM or its service VMs to support proper function.
1
Rule
Severity: Medium
The BIG-IP Core implementation must be configured to enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to maintain VLAN separation from the voice video VLAN, or be disabled.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to integrate into the implemented 802.1x network access control system.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint PC port must be configured to connect to an 802.1x supplicant or the PC port must be disabled.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint not supporting 802.1x must be configured to use MAC Authentication Bypass (MAB) on the access switchport.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must be configured to use a voice video VLAN, separate from all other VLANs.
1
Rule
Severity: High
The F5 BIG-IP appliance providing user access control intermediary services must implement attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to only enable the extension mobility feature for endpoints on a per user basis.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to globally disable the extension mobility feature for endpoints.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to use DNS servers assigned to support the VVoIP system.
1
Rule
Severity: Medium
The IDPS must enforce approved authorizations by restricting or blocking the flow of harmful or suspicious communications traffic within the network as defined in the PPSM CAL and vulnerability assessments.
1
Rule
Severity: Low
Sentry must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies.
1
Rule
Severity: Medium
MKE must have Grants created to control authorization to cluster resources.
1
Rule
Severity: Medium
The router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
1
Rule
Severity: Low
The BGP router must be configured to reject route advertisements from BGP peers that do not list their autonomous system (AS) number as the first AS in the AS_PATH attribute.
1
Rule
Severity: Low
The BGP router must be configured to reject route advertisements from CE routers with an originating AS in the AS_PATH attribute that does not belong to that customer.
1
Rule
Severity: High
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules