Capacity
CCI-001774
Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.
8
Rule
Severity: Medium
Install fapolicyd Package
7
Rule
Severity: Medium
Enable the File Access Policy Service
3
Rule
Severity: Medium
Ensure AppArmor is installed
3
Rule
Severity: Medium
Install the pam_apparmor Package
5
Rule
Severity: Medium
Ensure AppArmor is Active and Configured
2
Rule
Severity: Medium
The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.
1
Rule
Severity: Medium
Content Trust enforcement must be enabled in Universal Control Plane (UCP) in Docker Enterprise.
1
Rule
Severity: Medium
Only trusted, signed images must be on Universal Control Plane (UCP) in Docker Enterprise.
1
Rule
Severity: Medium
Only trusted, signed images must be stored in Docker Trusted Registry (DTR) in Docker Enterprise.
2
Rule
Severity: Low
Extensions that are approved for use must be allowlisted if used.
2
Rule
Severity: Medium
Images stored within the container registry must contain only images to be run as containers within the container platform.
2
Rule
Severity: Medium
The application must employ a deny-all, permit-by-exception (allowlist) policy to allow the execution of authorized software programs.
1
Rule
Severity: Medium
Tanium must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.
4
Rule
Severity: Low
The macOS system must be configured to disable the iCloud Calendar services.
4
Rule
Severity: Low
The macOS system must be configured to disable the iCloud Reminders services.
4
Rule
Severity: Low
The macOS system must be configured to disable iCloud Address Book services.
1
Rule
Severity: Low
The macOS system must be configured to disable the Mail iCloud services.
4
Rule
Severity: Low
The macOS system must be configured to disable the iCloud Notes services.
4
Rule
Severity: Medium
The macOS system must be configured to disable Siri and dictation.
4
Rule
Severity: High
The macOS system must be configured to disable the system preference pane for Apple ID.
1
Rule
Severity: Medium
The macOS system must be configured to disable the system preference pane for Internet Accounts.
4
Rule
Severity: Medium
The macOS system must be configured to disable the Siri Setup services.
4
Rule
Severity: Medium
The macOS system must disable iCloud Keychain synchronization.
1
Rule
Severity: Medium
The macOS system must disable iCloud document synchronization.
1
Rule
Severity: Medium
The macOS system must disable iCloud bookmark synchronization.
1
Rule
Severity: Medium
The macOS system must disable iCloud photo library.
1
Rule
Severity: Medium
The macOS system must be configured to disable the system preference pane for TouchID.
4
Rule
Severity: Medium
The macOS system must be configured to disable the system preference pane for Wallet and ApplePay.
4
Rule
Severity: Medium
The macOS system must be configured to disable the system preference pane for Siri.
3
Rule
Severity: Low
The macOS system must be configured to disable the iCloud Mail services.
3
Rule
Severity: Medium
The macOS system must cover or disable the built-in or attached camera when not in use.
3
Rule
Severity: Medium
The macOS system must disable iCloud Document synchronization.
3
Rule
Severity: Medium
The macOS system must disable iCloud Bookmark synchronization.
3
Rule
Severity: Medium
The macOS system must disable the iCloud Photo Library.
3
Rule
Severity: Medium
The macOS system must be configured to disable the system preference pane for TouchID and Password.
1
Rule
Severity: Medium
The Apparmor module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
2
Rule
Severity: Medium
The Ubuntu operating system must be configured to use AppArmor.
2
Rule
Severity: Medium
The container platform registry must employ a deny-all, permit-by-exception (whitelist) policy to allow only authorized container images in the container platform.
6
Rule
Severity: Medium
The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
2
Rule
Severity: Medium
AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
2
Rule
Severity: High
The CA-TSS Facility Control Option must specify the sub option of MODE=FAIL.
2
Rule
Severity: High
IBM RACF must define UACC of NONE on all profiles.
2
Rule
Severity: Medium
Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
2
Rule
Severity: Medium
Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
2
Rule
Severity: Medium
Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
2
Rule
Severity: Medium
The OL 8 "fapolicy" module must be installed.
2
Rule
Severity: Medium
The OL 8 "fapolicy" module must be enabled.
2
Rule
Severity: Medium
The OL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
2
Rule
Severity: High
OpenShift RBAC access controls must be enforced.
2
Rule
Severity: Medium
The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.
2
Rule
Severity: Medium
SUSE operating system AppArmor tool must be configured to control whitelisted applications and user home directory access control.
2
Rule
Severity: Medium
RHEL 9 fapolicy module must be installed.
2
Rule
Severity: Medium
RHEL 9 fapolicy module must be enabled.
2
Rule
Severity: Medium
A Trellix Application Control written policy must be documented to outline the organization-specific variables for application whitelisting.
2
Rule
Severity: Medium
The configuration of features under Trellix Application Control Options policies Enforce feature control must be documented in the organizations written policy.
2
Rule
Severity: Medium
The organizations written policy must include a process for how whitelisted applications are deemed to be allowed.
2
Rule
Severity: Medium
The organizations written policy must include procedures for how often the whitelist of allowed applications is reviewed.
2
Rule
Severity: Medium
The Solidcore client must be enabled.
2
Rule
Severity: High
The Solidcore client Command Line Interface (CLI) Access Password must be changed from the default.
2
Rule
Severity: Medium
The organization-specific Rules policy must only include executable and dll files that are associated with applications as allowed by the organizations written policy.
2
Rule
Severity: Medium
The Trellix Application Control Options Reputation-Based Execution settings, if enabled, must be configured to allow Most Likely Trusted or Known Trusted only.
2
Rule
Severity: Medium
Organization-specific Trellix Applications Control Options policies must be created and applied to all endpoints.
2
Rule
Severity: Medium
The Trellix Application Control Options policy must be configured to disable Self-Approval.
2
Rule
Severity: Medium
The Trellix Application Control Options policy End User Notification, if configured by organization, must have all default variables replaced with the organization-specific data.
2
Rule
Severity: Medium
The Trellix Application Control Options policies Enforce feature control memory protection must be enabled.
2
Rule
Severity: Medium
Enabled features under Trellix Application Control Options policies Enforce feature control must not be configured unless documented in written policy and approved by ISSO/ISSM.
2
Rule
Severity: Medium
The Trellix Application Control Options Inventory option must be configured to hide OS Files.
2
Rule
Severity: Medium
The Trellix Application Control Options Inventory interval option must be configured to pull inventory from endpoints on a regular basis not to exceed seven days.
2
Rule
Severity: Medium
The Trellix Applications Default Rules policy must be part of the effective rules policy applied to every endpoint.
2
Rule
Severity: Medium
A copy of the Trellix Default Rules policy must be part of the effective rules policy applied to every endpoint.
2
Rule
Severity: Medium
The organization-specific Rules policies must be part of the effective rules policy applied to all endpoints.
2
Rule
Severity: Medium
The organization-specific Solidcore Client Policies must be created and applied to all endpoints.
2
Rule
Severity: Medium
The Throttling settings must be enabled and configured to settings according to organizations requirements.
2
Rule
Severity: Medium
The Solidcore Client Exception Rules must be documented in the organizations written policy.
2
Rule
Severity: Medium
The VMM must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and guest VMs.
1
Rule
Severity: High
The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance levels must be verified.
3
Rule
Severity: High
The ESXi Image Profile and vSphere Installation Bundle (VIB) acceptance level must be verified.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must have the "apparmor" package installed.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must be configured to use AppArmor.
1
Rule
Severity: Medium
The Infrastructure as a Service (IaaS)/Platform as a Service (PaaS)/Software as a Service (SaaS) must register the service/application with the DOD DMZ/IAP allowlist for internet-facing inbound and outbound traffic.
1
Rule
Severity: Medium
MKE must only run signed images.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules