CCI-001774

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system.

10 rules found Severity: Medium

9 rules found Severity: Medium

10 rules found Severity: Medium

8 rules found Severity: Medium

10 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Low

1 rule found Severity: Low

2 rules found Severity: Low

2 rules found Severity: Medium

2 rules found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

2 rules found Severity: High

CCI-001774

Install fapolicyd Package

Enable the File Access Policy Service

Ensure AppArmor is installed

Install the pam_apparmor Package

Ensure AppArmor is Active and Configured

Content Trust enforcement must be enabled in Universal Control Plane (UCP) in Docker Enterprise.

Only trusted, signed images must be on Universal Control Plane (UCP) in Docker Enterprise.

Only trusted, signed images must be stored in Docker Trusted Registry (DTR) in Docker Enterprise.

Tanium must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.

The macOS system must be configured to disable the iCloud Calendar services.

The macOS system must be configured to disable the iCloud Reminders services.

The macOS system must be configured to disable iCloud Address Book services.

The macOS system must be configured to disable the Mail iCloud services.

The macOS system must be configured to disable the iCloud Notes services.

The macOS system must be configured to disable Siri and dictation.

The macOS system must be configured to disable the system preference pane for Apple ID.

The macOS system must be configured to disable the system preference pane for Internet Accounts.

The macOS system must be configured to disable the Siri Setup services.

The macOS system must disable iCloud Keychain synchronization.

The macOS system must disable iCloud document synchronization.

The macOS system must disable iCloud bookmark synchronization.

The macOS system must disable iCloud photo library.

The macOS system must be configured to disable the system preference pane for TouchID.

The macOS system must be configured to disable the system preference pane for Wallet and ApplePay.

The macOS system must be configured to disable the system preference pane for Siri.

The Apparmor module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and limit the ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.

The macOS system must be configured to disable the iCloud Mail services.

The macOS system must cover or disable the built-in or attached camera when not in use.

The macOS system must disable iCloud Document synchronization.

The macOS system must disable iCloud Bookmark synchronization.

The macOS system must disable the iCloud Photo Library.

The macOS system must be configured to disable the system preference pane for TouchID and Password.

The Ubuntu operating system must be configured to use AppArmor.

AIX must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

MKE must only run signed images.

Extensions that are approved for use must be allowlisted if used.

The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

Windows Server 2016 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

The application must employ a deny-all, permit-by-exception (allowlist) policy to allow the execution of authorized software programs.

A Trellix Application Control written policy must be documented to outline the organization-specific variables for application whitelisting.

The configuration of features under Trellix Application Control Options policies Enforce feature control must be documented in the organizations written policy.

The organizations written policy must include a process for how whitelisted applications are deemed to be allowed.

The organizations written policy must include procedures for how often the whitelist of allowed applications is reviewed.

The Solidcore client must be enabled.

The Solidcore client Command Line Interface (CLI) Access Password must be changed from the default.

The organization-specific Rules policy must only include executable and dll files that are associated with applications as allowed by the organizations written policy.

The Trellix Application Control Options Reputation-Based Execution settings, if enabled, must be configured to allow Most Likely Trusted or Known Trusted only.

Organization-specific Trellix Applications Control Options policies must be created and applied to all endpoints.

The Trellix Application Control Options policy must be configured to disable Self-Approval.

The Trellix Application Control Options policy End User Notification, if configured by organization, must have all default variables replaced with the organization-specific data.

The Trellix Application Control Options policies Enforce feature control memory protection must be enabled.

Enabled features under Trellix Application Control Options policies Enforce feature control must not be configured unless documented in written policy and approved by ISSO/ISSM.

The Trellix Application Control Options Inventory option must be configured to hide OS Files.

The Trellix Application Control Options Inventory interval option must be configured to pull inventory from endpoints on a regular basis not to exceed seven days.

The Trellix Applications Default Rules policy must be part of the effective rules policy applied to every endpoint.

A copy of the Trellix Default Rules policy must be part of the effective rules policy applied to every endpoint.

The organization-specific Rules policies must be part of the effective rules policy applied to all endpoints.

The organization-specific Solidcore Client Policies must be created and applied to all endpoints.

The Throttling settings must be enabled and configured to settings according to organizations requirements.

The Solidcore Client Exception Rules must be documented in the organizations written policy.

The application must employ a deny-all, permit-by-exception (whitelist) policy to allow the execution of authorized software programs.

Ubuntu 22.04 LTS must have the "apparmor" package installed.

Ubuntu 22.04 LTS must be configured to use AppArmor.

The Infrastructure as a Service (IaaS)/Platform as a Service (PaaS)/Software as a Service (SaaS) must register the service/application with the DOD DMZ/IAP allowlist for internet-facing inbound and outbound traffic.

AlmaLinux OS 9 fapolicy module must be enabled.

AlmaLinux OS 9 fapolicy module must be installed.

The container platform registry must employ a deny-all, permit-by-exception (whitelist) policy to allow only authorized container images in the container platform.

IBM RACF must define UACC of NONE on all profiles.

The CA-TSS Facility Control Option must specify the sub option of MODE=FAIL.

Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

Images stored within the container registry must contain only images to be run as containers within the container platform.

OpenShift RBAC access controls must be enforced.

The OL 8 "fapolicy" module must be installed.

The OL 8 "fapolicy" module must be enabled.

The OL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

RHEL 9 fapolicy module must be installed.

RHEL 9 fapolicy module must be enabled.

The SUSE operating system Apparmor tool must be configured to control whitelisted applications and user home directory access control.