CCI-001762

Disable or remove organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure.

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

5 rules found Severity: Medium

1 rule found Severity: Medium

5 rules found Severity: Medium

4 rules found Severity: Medium

5 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: High

3 rules found Severity: Medium

CCI-001762

TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.

Docker Enterprise network ports on all running containers must be limited to what is needed.

DB2 must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

All Web applications included with Apache Tomcat that are not required must be removed.

LockOutRealm must not be removed from Apache Tomcat.

The version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file.

Stack tracing must be disabled in Apache Tomcat.

Exchange services must be documented and unnecessary services must be removed or disabled.

SQL Server must disable communication protocols not required for operation.

Firewall rules must be configured on the Tanium Server for Console-to-Server communications.

Firewall rules must be configured on the Tanium Server for Server-to-Database communications.

Firewall rules must be configured on the Tanium module server to allow Server-to-Module Server communications from the Tanium Server.

Firewall rules must be configured on the Tanium Server for Server-to-Module Server communications.

Firewall rules must be configured on the Tanium Server for Server-to-Zone Server communications.

PostgreSQL must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

The EDB Postgres Advanced Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

IDMS terminal and lines that are not secure must be disabled.

PostgreSQL must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

PostgreSQL must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accordance with the Ports, Protocols, and Services Management (PPSM) guidance.

Use of the QUIC protocol must be disabled.

Dial-out access from the Hardware Management Console Remote Support Facility (RSF) must be disabled for all classified systems.

The default mysql_secure_installation must be installed.

MarkLogic Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accordance with Ports, Protocols, and Services Management (PPSM) guidance.

The network ports on all running containers must be limited to required ports.

The DBMS must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

Azure SQL Database must only use approved firewall settings deemed by the organization to be secure, including denying public network access.

Azure SQL Database must only use approved firewall settings deemed by the organization to be secure, including denying azure services access to the server.

The IIS 10.0 web server must not be running on a system providing any other role.

The Internet Printing Protocol (IPP) must be disabled on the IIS 10.0 web server.

The IIS 10.0 websites must use ports, protocols, and services according to Ports, Protocols, and Services Management (PPSM) guidelines.

The MySQL Database Server 8.0 must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

Redis Enterprise DBMS must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

Firewall rules must be configured on the Tanium Server for server-to-database communications.

The Solidcore client Command Line Interface (CLI) must be in lockdown mode.

The web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.

The Apache web server must prohibit or restrict the use of nonsecure or unnecessary ports, protocols, modules, and/or services.

All non-essential, unnecessary, and unsecure DoD ports, protocols, and services must be disabled in the container platform.

The Syslog client must use TCP connections.

MariaDB must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

Disable TLS RC4 cipher in .Net

Exchange services must be documented, and unnecessary services must be removed or disabled.

SQL Server must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.

Rancher RKE2 runtime must enforce ports, protocols, and services that adhere to the PPSM CAL.

The UEM server must disable organization-defined functions, ports, protocols, and services (within the application) deemed unnecessary and/or non-secure.

Lookup Service must be configured with the appropriate ports.

ESX Agent Manager must be configured with the appropriate ports.

Performance Charts must be configured with the appropriate ports.

VMware Postgres must be configured to use the correct port.

The Security Token Service must be configured with the appropriate ports.

vSphere UI must be configured with the appropriate ports.

The vCenter PostgreSQL service must be configured to use an authorized port.

Vendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.

The WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.

WebSphere MQ dead letter and alias dead letter queues are not properly defined.

WebSphere MQ RESLEVEL resources in the appropriate ADMIN resource class must be protected in accordance with security requirements.