CCI-001764
Prevent program execution in accordance with organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage.
Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.
6 rules found Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1 rule found Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
1 rule found Severity: Medium
Google Android 12 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
2 rules found Severity: Medium
Microsoft Android 11 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
2 rules found Severity: Medium
3 rules found Severity: Medium
The opening of pre-release versions of file formats new to Excel 2013 through the Compatibility Pack for Office 2013 and Excel 2013 Converter must be blocked.
1 rule found Severity: Medium
The opening of pre-release versions of file formats new to PowerPoint 2013 through the Compatibility Pack for Office 2013 and PowerPoint 2013 Converter must be blocked.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Low
Samsung Android must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: names.
1 rule found Severity: Medium
Samsung Android's Work profile must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: names.
1 rule found Severity: Medium
Google Android 14 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
3 rules found Severity: Medium
Google Android 13 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
3 rules found Severity: Medium
AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
1 rule found Severity: Medium
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
1 rule found Severity: High
2 rules found Severity: High
1 rule found Severity: High
1 rule found Severity: Low
Samsung Android's Work profile must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names.
3 rules found Severity: Medium
The application must prevent program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
1 rule found Severity: Medium
For Impact Levels 4 and 5, the Mission Owner must register all cloud-based services, their CSP/CSO, and connection method in the DISA Systems/Network Approval Process (SNAP) database Cloud Module.
1 rule found Severity: Medium
For Impact Level 6, the Mission Owner must process connection approval to the SIPRNet through the DISA classified connection approval process.
1 rule found Severity: Medium
The Mission Owner of the Infrastructure as a Service (IaaS)/Platform as a Service (PaaS) must remove orphaned or unused virtual machine (VM) instances.
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent device files from being interpreted on file systems that contain user home directories.
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
1 rule found Severity: Medium
AlmaLinux OS 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
1 rule found Severity: Medium
The container platform must prevent component execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
1 rule found Severity: Medium
1 rule found Severity: High
Google Android 15 must be configured to enforce an application installation policy by specifying an application allow list that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
2 rules found Severity: Medium
The operating system must prevent program execution in accordance with local policies regarding software program usage and restrictions and/or rules authorizing the terms and conditions of software program usage.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
2 rules found Severity: High
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
2 rules found Severity: Medium
2 rules found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: High
The configuration integrity of the container platform must be ensured and runtime policies must be configured.
1 rule found Severity: High
The configuration integrity of the container platform must be ensured and compliance policies must be configured.
1 rule found Severity: High
The configuration integrity of the container platform must be ensured and vulnerabilities policies must be configured.
1 rule found Severity: High
OpenShift must prevent the installation of patches, service packs, device drivers, or operating system components without verification they have been digitally signed using a certificate that is recognized and approved by the organization.
1 rule found Severity: Medium
The OL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
1 rule found Severity: Medium
RHEL 9 must prevent device files from being interpreted on file systems that contain user home directories.
1 rule found Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories.
1 rule found Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot directory.
1 rule found Severity: Medium
RHEL 9 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory.
1 rule found Severity: Medium
1 rule found Severity: Medium
The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
1 rule found Severity: Medium
The RHEL 9 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
1 rule found Severity: Medium
SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.
1 rule found Severity: Medium
The operating system must employ automated mechanisms to prevent program execution in accordance with the organization-defined specifications.
2 rules found Severity: Medium
Samsung Android's Work environment must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names.
2 rules found Severity: Medium
Samsung Android must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: Names.
2 rules found Severity: Medium
1 rule found Severity: Medium
Zebra Android 13 must be configured to enforce an application installation policy by specifying an application allowlist that restricts applications by the following characteristics: [selection: list of digital signatures, cryptographic hash values, names, application version].
2 rules found Severity: Medium
Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.
1 rule found Severity: High