Skip to content
Log In

CCI-001813

Enforce access restrictions using organization-defined mechanisms.

Boot Loader Is Not Installed On Removeable Media

8 rules found Severity: Medium

Logo

Disable GSSAPI Authentication

31 rules found Severity: Medium

Logo

Disable Kerberos Authentication

31 rules found Severity: Medium

Logo

UEFI Boot Loader Is Not Installed On Removeable Media

7 rules found Severity: Medium

Logo

Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server

4 rules found Severity: Medium

Logo

Ensure No Device Files are Unlabeled by SELinux

4 rules found Severity: Medium

Logo

Uninstall tftp-server Package

6 rules found Severity: High

Logo

Adobe Acrobat Pro DC Continuous privileged file and folder locations must be disabled.

1 rule found Severity: Medium

Logo

Adobe Acrobat Pro DC Continuous privileged host locations must be disabled.

1 rule found Severity: Low

Logo

Adobe Reader DC must disable the ability to add Trusted Files and Folders.

1 rule found Severity: Medium

Logo

Adobe Reader DC must disable the ability to elevate IE Trusts to Privileged Locations.

1 rule found Severity: Medium

Logo

A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.

1 rule found Severity: Medium

Logo

A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.

1 rule found Severity: Medium

Logo

The FortiGate device must enforce access restrictions associated with changes to device configuration.

1 rule found Severity: Medium

Logo

The DataPower Gateway must enforce access restrictions associated with changes to device configuration.

1 rule found Severity: Medium

Logo

DB2 and the operating system must enforce access restrictions associated with changes to the configuration of DB2 or database(s).

1 rule found Severity: Medium

Logo

The WebSphere Application Server users in a local user registry group must be authorized for that group.

1 rule found Severity: Medium

Logo

The WebSphere Application Server users in the admin role must be authorized.

1 rule found Severity: Medium

Logo

The Apache Tomcat shutdown port must be disabled.

2 rules found Severity: Medium

Logo

The ISEC7 EMM Suite must remove any unnecessaryusers or groups that have permissions to the server.xml file in Apache Tomcat.

1 rule found Severity: Medium

Logo

Exchange software baseline copy must exist.

1 rule found Severity: Medium

Logo

An Exchange software baseline copy must exist.

3 rules found Severity: Medium

Logo

The Exchange software baseline copy must exist.

3 rules found Severity: Medium

Logo

SQL Server and Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance or database(s).

1 rule found Severity: Medium

Logo

Nutanix AOS must enforce access restrictions associated with changes to application server configuration.

1 rule found Severity: Medium

Logo

Nutanix AOS must not be configured to allow GSSAPIAuthentication.

1 rule found Severity: Medium

Logo

Nutanix AOS must not be configured to allow KerberosAuthentication.

1 rule found Severity: Medium

Logo

Tanium must prohibit user installation of software without explicit privileged status and enforce access restrictions associated with changes to application configuration.

1 rule found Severity: Medium

Logo

The Tanium application must prohibit user installation of software without explicit privileged status.

1 rule found Severity: Medium

Logo

The application must enforce access restrictions associated with changes to application configuration.

4 rules found Severity: Medium

Logo

The macOS system must enforce access restrictions.

1 rule found Severity: High

Logo

MongoDB must enforce access restrictions associated with changes to the configuration of MongoDB or database(s).

3 rules found Severity: Medium

Logo

The DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.

2 rules found Severity: Medium

Logo

PostgreSQL must enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s).

2 rules found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.

1 rule found Severity: Medium

Logo

The Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.

1 rule found Severity: High

Logo

The EDB Postgres Advanced Server must enforce access restrictions associated with changes to the configuration of the EDB Postgres Advanced Server or database(s).

2 rules found Severity: Medium

Logo

The BIG-IP appliance must be configured to enforce access restrictions associated with changes to device configuration.

1 rule found Severity: Medium

Logo

Files in the $CATALINA_BASE/conf/ folder must have their permissions set to 640.

1 rule found Severity: Medium

Logo

$CATALINA_BASE/conf folder permissions must be set to 750.

1 rule found Severity: Medium

Logo

$CATALINA_HOME folder must be owned by the root user, group tomcat.

1 rule found Severity: Medium

Logo

$CATALINA_BASE/conf/ folder must be owned by root, group tomcat.

1 rule found Severity: Medium

Logo

$CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat.

1 rule found Severity: Medium

Logo

$CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat.

1 rule found Severity: Low

Logo

$CATALINA_BASE/temp folder permissions must be set to 750.

1 rule found Severity: Low

Logo

$CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat.

1 rule found Severity: Medium

Logo

The macOS system must disable the guest account.

1 rule found Severity: High

Logo

If the Arista network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.

1 rule found Severity: Medium

Logo

The commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.

1 rule found Severity: Medium

Logo

Databases must be secured to protect from structural changes.

1 rule found Severity: Medium

Logo

Database utilities must be secured in CA IDMS and permissions given to appropriate role(s)/groups(s) in the external security manager (ESM).

1 rule found Severity: Medium

Logo

The online debugger which can change programs and storage in the CA IDMS address space must be secured.

1 rule found Severity: Medium

Logo

CA IDMS programs that can be run through a CA IDMS CV must be defined to the CV.

1 rule found Severity: Medium

Logo

PostgreSQL must enforce access restrictions associated with changes to the configuration of the DBMS or database(s).

1 rule found Severity: Medium

Logo

SSMC web server application, libraries, and configuration files must only be accessible to privileged users.

1 rule found Severity: Medium

Logo

AIX must provide audit record generation functionality for DoD-defined auditable events.

1 rule found Severity: Medium

Logo

The server.xml file must be protected from unauthorized modification.

1 rule found Severity: Medium

Logo

The ISEC7 SPHERE must remove any unnecessary users or groups that have permissions to the server.xml file in Apache Tomcat.

1 rule found Severity: Medium

Logo

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

1 rule found Severity: High

Logo

The MySQL DatabasePassword key must be removed or set to a blank value in the database configuration file in Jamf Pro EMM.

1 rule found Severity: Medium

Logo

The Juniper EX switch must be configured to enforce access restrictions associated with changes to device configuration.

1 rule found Severity: Medium

Logo

Production JBoss servers must not allow automatic application deployment.

1 rule found Severity: Medium

Logo

Least privilege access and need to know must be required to access MKE runtime and instantiate container images.

1 rule found Severity: High

Logo

Azure SQL Database must enforce access restrictions associated with changes to the configuration of the Azure SQL Database server or database(s).

1 rule found Severity: Medium

Logo

Access to web administration tools must be restricted to the web manager and the web managers designees.

1 rule found Severity: Medium

Logo

The network device must enforce access restrictions associated with changes to device configuration.

1 rule found Severity: Medium

Logo

ONTAP must enforce access restrictions associated with changes to the device configuration.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.

1 rule found Severity: Medium

Logo

The Oracle Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.

1 rule found Severity: Medium

Logo

The MySQL Database Server 8.0 must enforce access restrictions associated with changes to the configuration of the MySQL Database Server 8.0 or database(s).

1 rule found Severity: Medium

Logo

Redis Enterprise DBMS must enforce access restrictions associated with changes to the configuration of Redis Enterprise DBMS or database(s).

1 rule found Severity: Medium

Logo

The Automation Controller NGINX web server application, libraries, and configuration files must only be accessible to privileged users.

1 rule found Severity: Medium

Logo

The SDN controller must be configured to enforce access restrictions associated with changes to the configuration.

1 rule found Severity: Medium

Logo

The TippingPoint SMS must enforce access restrictions associated with changes to device configuration.

1 rule found Severity: Medium

Logo

The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.

1 rule found Severity: High

Logo

The web server application, libraries, and configuration files must only be accessible to privileged users.

1 rule found Severity: Medium

Logo

Apache web server application directories, libraries, and configuration files must only be accessible to privileged users.

2 rules found Severity: High

Logo

The Apache web server application, libraries, and configuration files must only be accessible to privileged users.

1 rule found Severity: Medium

Logo

Anonymous user access to the Apache web server application directories must be prohibited.

1 rule found Severity: High

Logo

The macOS system must disable root logon.

1 rule found Severity: Medium

Logo

The macOS system must disable root logon for SSH.

1 rule found Severity: Medium

Logo

The macOS system must disable root login.

1 rule found Severity: Medium

Logo

The macOS system must disable the guest account.

2 rules found Severity: Medium

Logo

The macOS system must disable root login for SSH.

1 rule found Severity: Medium

Logo

The application server must enforce access restrictions associated with changes to application server configuration.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 SSH daemon must not allow Kerberos authentication.

1 rule found Severity: Medium

Logo

The container platform must enforce access restrictions for container platform configuration changes.

1 rule found Severity: Medium

Logo

The container root filesystem must be mounted as read-only.

1 rule found Severity: Medium

Logo

The DBMS must enforce access restrictions associated with changes to the configuration of the DBMS or database(s).

1 rule found Severity: Medium

Logo

Forescout must enforce access restrictions associated with changes to device configuration.

1 rule found Severity: Medium

Logo

The operating system must enforce access restrictions.

1 rule found Severity: Medium

Logo

CA-ACF2 must be installed, functional, and properly configured.

1 rule found Severity: High

Logo

IBM RACF SETROPTS RVARYPW values must be properly set.

1 rule found Severity: Medium

Logo

CA-TSS must be installed and properly configured.

1 rule found Severity: High

Logo

MariaDB must enforce access restrictions associated with changes to the configuration of MariaDB or database(s).

1 rule found Severity: Medium

Logo

The Mainframe Product must enforce access restrictions associated with changes to application configuration.

1 rule found Severity: Medium

Logo

SQL Server must enforce access restrictions associated with changes to the configuration of the database(s).

1 rule found Severity: Medium

Logo

SQL Server must enforce access restrictions associated with changes to the configuration of the instance.

1 rule found Severity: Medium

Logo

Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.

1 rule found Severity: Medium

Logo

Users requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.

1 rule found Severity: Medium

Logo

OpenShift RBAC access controls must be enforced.

1 rule found Severity: High

Logo

RHEL 9 SSH daemon must not allow GSSAPI authentication.

1 rule found Severity: Medium

Logo

RHEL 9 SSH daemon must not allow Kerberos authentication.

1 rule found Severity: Medium

Logo

The UEM server must enforce access restrictions associated with changes to the server configuration.

1 rule found Severity: Medium

Logo

The NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.

1 rule found Severity: High

Logo

The VMM must enforce access restrictions associated with changes to the system.

1 rule found Severity: Medium

Logo

ESX Agent Manager directory tree must have permissions in an out-of-the-box state.

1 rule found Severity: Medium

Logo

VAMI server binaries and libraries must be verified for their integrity.

1 rule found Severity: Medium

Logo

Lookup Service directory tree must have permissions in an out-of-the-box state.

1 rule found Severity: Medium

Logo

ESX Agent Manager must set the secure flag for cookies.

1 rule found Severity: Medium

Logo

Performance Charts directory tree must have permissions in an out-of-the-box state.

1 rule found Severity: Medium

Logo

The vCenter Server user roles must be verified.

2 rules found Severity: Medium

Logo

VMware Postgres configuration files must not be accessible by unauthorized users.

1 rule found Severity: Medium

Logo

The vCenter ESX Agent Manager service files must have permissions in an out-of-the-box state.

2 rules found Severity: Medium

Logo

The Security Token Service directory tree must have permissions in an out-of-the-box state.

1 rule found Severity: Medium

Logo

The vCenter Lookup service files must have permissions in an out-of-the-box state.

2 rules found Severity: Medium

Logo

The vSphere UI directory tree must have permissions in an out-of-the-box state.

1 rule found Severity: Medium

Logo

The vCenter Server users must have the correct roles assigned.

1 rule found Severity: Medium

Logo

The vCenter Perfcharts service files must have permissions in an out-of-the-box state.

2 rules found Severity: Medium

Logo

The vCenter PostgreSQL service configuration files must not be accessible by unauthorized users.

2 rules found Severity: Medium

Logo

The vCenter STS service files must have permissions in an out-of-the-box state.

2 rules found Severity: Medium

Logo

Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

1 rule found Severity: High

Logo