Capacity
CCI-001813
Enforce access restrictions using organization-defined mechanisms.
8
Rule
Severity: Medium
Boot Loader Is Not Installed On Removeable Media
29
Rule
Severity: Medium
Disable GSSAPI Authentication
29
Rule
Severity: Medium
Disable Kerberos Authentication
7
Rule
Severity: Medium
UEFI Boot Loader Is Not Installed On Removeable Media
16
Rule
Severity: Medium
Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server
11
Rule
Severity: Medium
Ensure No Device Files are Unlabeled by SELinux
15
Rule
Severity: High
Uninstall tftp-server Package
1
Rule
Severity: Medium
Adobe Acrobat Pro DC Continuous privileged file and folder locations must be disabled.
1
Rule
Severity: Low
Adobe Acrobat Pro DC Continuous privileged host locations must be disabled.
1
Rule
Severity: Medium
Adobe Reader DC must disable the ability to add Trusted Files and Folders.
1
Rule
Severity: Medium
Adobe Reader DC must disable the ability to elevate IE Trusts to Privileged Locations.
4
Rule
Severity: High
Apache web server application directories, libraries, and configuration files must only be accessible to privileged users.
2
Rule
Severity: High
Anonymous user access to the Apache web server application directories must be prohibited.
2
Rule
Severity: Medium
The application server must enforce access restrictions associated with changes to application server configuration.
2
Rule
Severity: Medium
If the Arista network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.
6
Rule
Severity: Medium
The application must enforce access restrictions associated with changes to application configuration.
2
Rule
Severity: Medium
The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.
2
Rule
Severity: Medium
Databases must be secured to protect from structural changes.
2
Rule
Severity: Medium
Database utilities must be secured in CA IDMS and permissions given to appropriate role(s)/groups(s) in the external security manager (ESM).
2
Rule
Severity: Medium
The online debugger which can change programs and storage in the CA IDMS address space must be secured.
2
Rule
Severity: Medium
CA IDMS programs that can be run through a CA IDMS CV must be defined to the CV.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
1
Rule
Severity: Medium
A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
1
Rule
Severity: Medium
The FortiGate device must enforce access restrictions associated with changes to device configuration.
2
Rule
Severity: Medium
Forescout must enforce access restrictions associated with changes to device configuration.
1
Rule
Severity: Medium
The DataPower Gateway must enforce access restrictions associated with changes to device configuration.
2
Rule
Severity: Medium
The server.xml file must be protected from unauthorized modification.
1
Rule
Severity: Medium
DB2 and the operating system must enforce access restrictions associated with changes to the configuration of DB2 or database(s).
1
Rule
Severity: Medium
The WebSphere Application Server users in a local user registry group must be authorized for that group.
1
Rule
Severity: Medium
The WebSphere Application Server users in the admin role must be authorized.
3
Rule
Severity: Medium
The Apache Tomcat shutdown port must be disabled.
2
Rule
Severity: Medium
The ISEC7 EMM Suite must remove any unnecessaryusers or groups that have permissions to the server.xml file in Apache Tomcat.
2
Rule
Severity: Medium
The MySQL DatabasePassword key must be removed or set to a blank value in the database configuration file in Jamf Pro EMM.
2
Rule
Severity: Medium
Production JBoss servers must not allow automatic application deployment.
2
Rule
Severity: Medium
The Mainframe Product must enforce access restrictions associated with changes to application configuration.
2
Rule
Severity: Medium
Azure SQL Database must enforce access restrictions associated with changes to the configuration of the Azure SQL Database server or database(s).
1
Rule
Severity: Medium
Exchange software baseline copy must exist.
4
Rule
Severity: Medium
An Exchange software baseline copy must exist.
4
Rule
Severity: Medium
The Exchange software baseline copy must exist.
1
Rule
Severity: Medium
SQL Server and Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance or database(s).
2
Rule
Severity: Medium
ONTAP must enforce access restrictions associated with changes to the device configuration.
2
Rule
Severity: Medium
The network device must enforce access restrictions associated with changes to device configuration.
1
Rule
Severity: Medium
Nutanix AOS must enforce access restrictions associated with changes to application server configuration.
1
Rule
Severity: Medium
Nutanix AOS must not be configured to allow GSSAPIAuthentication.
1
Rule
Severity: Medium
Nutanix AOS must not be configured to allow KerberosAuthentication.
2
Rule
Severity: Medium
Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.
2
Rule
Severity: Medium
The SDN controller must be configured to enforce access restrictions associated with changes to the configuration.
1
Rule
Severity: Medium
Tanium must prohibit user installation of software without explicit privileged status and enforce access restrictions associated with changes to application configuration.
1
Rule
Severity: Medium
The Tanium application must prohibit user installation of software without explicit privileged status.
2
Rule
Severity: Medium
The TippingPoint SMS must enforce access restrictions associated with changes to device configuration.
2
Rule
Severity: High
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
2
Rule
Severity: Medium
The UEM server must enforce access restrictions associated with changes to the server configuration.
2
Rule
Severity: Medium
Files in the $CATALINA_BASE/conf/ folder must have their permissions set to 640.
2
Rule
Severity: Medium
$CATALINA_BASE/conf folder permissions must be set to 750.
2
Rule
Severity: Medium
$CATALINA_HOME folder must be owned by the root user, group tomcat.
2
Rule
Severity: Medium
$CATALINA_BASE/conf/ folder must be owned by root, group tomcat.
2
Rule
Severity: Medium
$CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat.
2
Rule
Severity: Low
$CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat.
2
Rule
Severity: Low
$CATALINA_BASE/temp folder permissions must be set to 750.
2
Rule
Severity: Medium
$CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat.
1
Rule
Severity: High
The macOS system must enforce access restrictions.
3
Rule
Severity: High
The macOS system must disable the guest account.
2
Rule
Severity: Medium
The macOS system must disable root logon.
2
Rule
Severity: Medium
The macOS system must disable root logon for SSH.
3
Rule
Severity: Medium
The macOS system must disable the guest account.
3
Rule
Severity: Medium
PostgreSQL must enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s).
2
Rule
Severity: Medium
The container platform must enforce access restrictions for container platform configuration changes.
3
Rule
Severity: Medium
The EDB Postgres Advanced Server must enforce access restrictions associated with changes to the configuration of the EDB Postgres Advanced Server or database(s).
2
Rule
Severity: Medium
The DBMS must enforce access restrictions associated with changes to the configuration of the DBMS or database(s).
2
Rule
Severity: Medium
The operating system must enforce access restrictions.
2
Rule
Severity: Medium
SSMC web server application, libraries, and configuration files must only be accessible to privileged users.
2
Rule
Severity: Medium
AIX must provide audit record generation functionality for DoD-defined auditable events.
2
Rule
Severity: High
CA-ACF2 must be installed, functional, and properly configured.
2
Rule
Severity: Medium
IBM RACF SETROPTS RVARYPW values must be properly set.
2
Rule
Severity: High
CA-TSS must be installed and properly configured.
2
Rule
Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to enforce access restrictions associated with changes to device configuration.
2
Rule
Severity: Medium
MariaDB must enforce access restrictions associated with changes to the configuration of MariaDB or database(s).
3
Rule
Severity: Medium
MongoDB must enforce access restrictions associated with changes to the configuration of MongoDB or database(s).
2
Rule
Severity: Medium
Access to web administration tools must be restricted to the web manager and the web managers designees.
2
Rule
Severity: Medium
SQL Server must enforce access restrictions associated with changes to the configuration of the database(s).
2
Rule
Severity: Medium
SQL Server must enforce access restrictions associated with changes to the configuration of the instance.
2
Rule
Severity: Medium
Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.
3
Rule
Severity: Medium
The DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.
2
Rule
Severity: Medium
The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must enforce access restrictions associated with changes to the configuration of the MySQL Database Server 8.0 or database(s).
2
Rule
Severity: Medium
Redis Enterprise DBMS must enforce access restrictions associated with changes to the configuration of Redis Enterprise DBMS or database(s).
2
Rule
Severity: High
OpenShift RBAC access controls must be enforced.
2
Rule
Severity: Medium
The Automation Controller NGINX web server application, libraries, and configuration files must only be accessible to privileged users.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.
2
Rule
Severity: Medium
RHEL 9 SSH daemon must not allow GSSAPI authentication.
2
Rule
Severity: Medium
RHEL 9 SSH daemon must not allow Kerberos authentication.
2
Rule
Severity: Medium
The VMM must enforce access restrictions associated with changes to the system.
1
Rule
Severity: Medium
VAMI server binaries and libraries must be verified for their integrity.
1
Rule
Severity: Medium
Performance Charts directory tree must have permissions in an out-of-the-box state.
1
Rule
Severity: Medium
ESX Agent Manager directory tree must have permissions in an out-of-the-box state.
1
Rule
Severity: Medium
ESX Agent Manager must set the secure flag for cookies.
1
Rule
Severity: Medium
Lookup Service directory tree must have permissions in an out-of-the-box state.
3
Rule
Severity: Medium
The vCenter Server user roles must be verified.
1
Rule
Severity: Medium
VMware Postgres configuration files must not be accessible by unauthorized users.
1
Rule
Severity: Medium
The Security Token Service directory tree must have permissions in an out-of-the-box state.
1
Rule
Severity: Medium
The vCenter Server users must have the correct roles assigned.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service files must have permissions in an out-of-the-box state.
3
Rule
Severity: Medium
The vCenter Lookup service files must have permissions in an out-of-the-box state.
1
Rule
Severity: Medium
The vSphere UI directory tree must have permissions in an out-of-the-box state.
3
Rule
Severity: Medium
The vCenter Perfcharts service files must have permissions in an out-of-the-box state.
3
Rule
Severity: Medium
The vCenter PostgreSQL service configuration files must not be accessible by unauthorized users.
3
Rule
Severity: Medium
The vCenter STS service files must have permissions in an out-of-the-box state.
2
Rule
Severity: Medium
The web server application, libraries, and configuration files must only be accessible to privileged users.
1
Rule
Severity: Medium
The BIG-IP appliance must be configured to enforce access restrictions associated with changes to device configuration.
1
Rule
Severity: Medium
The macOS system must disable root login.
1
Rule
Severity: Medium
The macOS system must disable root login for SSH.
1
Rule
Severity: Medium
PostgreSQL must enforce access restrictions associated with changes to the configuration of the DBMS or database(s).
1
Rule
Severity: Medium
The ISEC7 SPHERE must remove any unnecessary users or groups that have permissions to the server.xml file in Apache Tomcat.
1
Rule
Severity: High
Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
1
Rule
Severity: High
The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules