Skip to content
Log In

CCI-001664

Recognize only session identifiers that are system-generated.

The DataPower Gateway must recognize only system-generated session identifiers.

1 rule found Severity: Medium

Logo

The MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session.

1 rule found Severity: Medium

Logo

When the Access Profile Type is LTM+APM and it is not using any connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, the F5 BIG-IP appliance must be configured to enable the HTTP Only flag.

2 rules found Severity: Low

Logo

The F5 BIG-IP appliance must be configured to enable the "Secure" cookie flag.

1 rule found Severity: Low

Logo

The F5 BIG-IP appliance must be configured to disable the "Persistent" cookie flag.

1 rule found Severity: Low

Logo

Tomcat must be configured to limit data exposure between applications.

1 rule found Severity: Low

Logo

The F5 BIG-IP appliance must be configured to enable the secure cookie flag.

1 rule found Severity: Low

Logo

The F5 BIG-IP appliance must be configured to disable the persistent cookie flag.

1 rule found Severity: Low

Logo

The IIS 10.0 web server must use cookies to track session state.

1 rule found Severity: Medium

Logo

The IIS 10.0 web server must accept only system-generated session identifiers.

1 rule found Severity: Medium

Logo

The network device must recognize only system-generated session identifiers.

1 rule found Severity: Medium

Logo

Redis Enterprise DBMS must recognize only system-generated session identifiers.

1 rule found Severity: Medium

Logo

Cookies exchanged between any Automation Controller NGINX web server and any client, such as session cookies, must have security settings that disallow cookie access outside the originating Automation Controller NGINX web server and hosted application.

1 rule found Severity: Medium

Logo

Cookies exchanged between the web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating web server and hosted application.

1 rule found Severity: Medium

Logo

The web server must accept only system-generated session identifiers.

1 rule found Severity: Medium

Logo

Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.

4 rules found Severity: Medium

Logo

The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.

1 rule found Severity: High

Logo

The Apache web server must accept only system-generated session identifiers.

2 rules found Severity: Medium

Logo

The ALG must recognize only system-generated session identifiers.

1 rule found Severity: Medium

Logo

The application server must generate a unique session identifier for each session.

1 rule found Severity: Medium

Logo

The application server must recognize only system-generated session identifiers.

1 rule found Severity: Medium

Logo

Applications must use system-generated session identifiers that protect against session fixation.

1 rule found Severity: Medium

Logo

Applications must validate session identifiers.

1 rule found Severity: Medium

Logo

Applications must not use URL embedded session IDs.

1 rule found Severity: Medium

Logo

The application must not re-use or recycle session IDs.

1 rule found Severity: Medium

Logo

The DBMS must recognize only system-generated session identifiers.

1 rule found Severity: Medium

Logo

AOS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).

1 rule found Severity: High

Logo

The UEM server must recognize only system-generated session identifiers.

1 rule found Severity: Medium

Logo

ESX Agent Manager must protect cookies from cross-site scripting (XSS).

1 rule found Severity: Medium

Logo

Lookup Service must protect cookies from cross-site scripting (XSS).

1 rule found Severity: Medium

Logo

The vCenter ESX Agent Manager service must be configured to limit data exposure between applications.

2 rules found Severity: Medium

Logo

The Security Token Service must protect cookies from cross-site scripting (XSS).

1 rule found Severity: Medium

Logo

The vCenter Lookup service must be configured to limit data exposure between applications.

2 rules found Severity: Medium

Logo

vSphere UI must restrict its cookie path.

1 rule found Severity: Medium

Logo

The vCenter Perfcharts service must be configured to limit data exposure between applications.

2 rules found Severity: Medium

Logo

The VPN Gateway must recognize only system-generated session identifiers.

1 rule found Severity: Medium

Logo

The vCenter STS service must be configured to limit data exposure between applications.

2 rules found Severity: Medium

Logo

The vCenter UI service must be configured to limit data exposure between applications.

2 rules found Severity: Medium

Logo