Capacity
CCI-001958
Authenticate organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection.
11
Rule
Severity: Medium
Disable GNOME3 Automounting
12
Rule
Severity: Medium
Disable GNOME3 Automount Opening
12
Rule
Severity: Low
Disable GNOME3 Automount running
19
Rule
Severity: Medium
Disable DCCP Support
23
Rule
Severity: Medium
Disable the Automounter
19
Rule
Severity: Medium
Disable Modprobe Loading of USB Storage Driver
13
Rule
Severity: Medium
Install usbguard Package
8
Rule
Severity: Medium
Enable the USBGuard Service
6
Rule
Severity: Medium
Generate USBGuard Policy
2
Rule
Severity: Medium
AAA Services used for 802.1x must be configured to authenticate network endpoint devices (supplicants) before the authenticator establishes any connection.
1
Rule
Severity: Medium
The Arista Multilayer Switch must authenticate 802.1X connected devices before establishing any connection.
4
Rule
Severity: Medium
The PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.
2
Rule
Severity: Medium
The application must authenticate all network connected endpoint devices before establishing any connection.
2
Rule
Severity: High
The BIND 9.x server implementation must uniquely identify and authenticate the other DNS server before responding to a server-to-server transaction, zone transfer and/or dynamic update request using cryptographically based bidirectional authentication to protect the integrity of the information in transit.
2
Rule
Severity: Medium
The DNS server implementation must authenticate the other DNS server before responding to a server-to-server transaction.
2
Rule
Severity: Medium
Forescout must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment. This is required for compliance with C2C Step 4.
2
Rule
Severity: Medium
Forescout must be configured to apply dynamic ACLs that restrict the use of ports when non-entity endpoints are connected using MAC Authentication Bypass (MAB). This is required for compliance with C2C Step 4.
2
Rule
Severity: Medium
Forescout switch module must only allow a maximum of one registered MAC address per access port. This is required for compliance with C2C Step 4.
1
Rule
Severity: High
HP FlexFabric Switch must authenticate all network-connected endpoint devices before establishing any connection.
1
Rule
Severity: Medium
The Infoblox DNS server must authenticate to any external (non-Grid) DNS servers before responding to a server-to-server transaction.
1
Rule
Severity: Medium
The MQ Appliance messaging server must authenticate all network-connected endpoint devices before establishing any connection.
1
Rule
Severity: Medium
The WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection.
1
Rule
Severity: Medium
The Infoblox system must authenticate the other DNS server before responding to a server-to-server transaction.
2
Rule
Severity: Medium
The Juniper PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.
4
Rule
Severity: Medium
The Juniper Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.
2
Rule
Severity: Medium
The layer 2 switch must authenticate all network-connected endpoint devices before establishing any connection.
1
Rule
Severity: Medium
Outlook Dial-up options to Warn user before allowing switch in dial-up access must be configured.
3
Rule
Severity: Medium
The secondary Windows DNS name servers must cryptographically authenticate zone transfers from primary name servers.
1
Rule
Severity: Medium
The Windows DNS primary server must only send zone transfers to a specific list of secondary name servers.
1
Rule
Severity: Medium
The Windows 2012 DNS Server must provide its identity with returned DNS information by enabling DNSSEC and TSIG/SIG(0).
2
Rule
Severity: Medium
The Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.
1
Rule
Severity: Medium
The SEL-2740S must authenticate all network-connected endpoint devices before establishing any connection.
1
Rule
Severity: Medium
The Tanium endpoint must have the Tanium Servers public key in its installation, which will allow it to authenticate and uniquely identify all network-connected endpoint devices before establishing any connection.
1
Rule
Severity: Medium
The Tanium endpoint must have the Tanium Servers public key in its installation.
2
Rule
Severity: Medium
The VPN Gateway must authenticate all network-connected endpoint devices before establishing a connection.
1
Rule
Severity: Medium
The macOS system must authenticate peripherals before establishing a connection.
3
Rule
Severity: Medium
The macOS system must authorize USB devices before allowing connection.
3
Rule
Severity: Medium
The Ubuntu operating system must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.
6
Rule
Severity: Medium
The Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.
6
Rule
Severity: Medium
The Cisco Multicast Source Discovery Protocol (MSDP) router must be configured to authenticate all received MSDP packets.
4
Rule
Severity: High
The Cisco switch must uniquely identify and authenticate all network-connected endpoint devices before establishing any connection.
6
Rule
Severity: Medium
The Cisco PE switch providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.
4
Rule
Severity: Medium
The Cisco Multicast Source Discovery Protocol (MSDP) switch must be configured to authenticate all received MSDP packets.
2
Rule
Severity: Medium
The Cisco ISE must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment. This is required for compliance with C2C Step 4.
2
Rule
Severity: Medium
The Cisco ISE must be configured to dynamically apply restricted access of endpoints that are granted access using MAC Authentication Bypass (MAB). This is required for compliance with C2C Step 4.
2
Rule
Severity: Medium
The Cisco switch must authenticate all endpoint devices before establishing any connection.
2
Rule
Severity: Medium
The operating system must authenticate peripherals before establishing a connection.
2
Rule
Severity: Medium
If automated file system mounting tool is not required on AIX, it must be disabled.
2
Rule
Severity: Medium
The ICS must be configured to authenticate all clients before establishing a connection.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to authenticate all network-connected endpoint devices before establishing any connection.
2
Rule
Severity: Medium
The router providing MPLS L2VPN services must be configured to authenticate targeted LDP sessions used to exchange VC information using a FIPS-approved message authentication code algorithm.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured to disable USB mass storage.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.
2
Rule
Severity: Medium
The Oracle Linux operating system must disable the graphical user interface automounter unless required.
2
Rule
Severity: Medium
OL 8 must have the USBGuard installed.
2
Rule
Severity: Medium
OL 8 must block unauthorized peripherals before establishing a connection.
2
Rule
Severity: Medium
OL 8 must enable the USBGuard.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must disable the file system automounter unless required.
2
Rule
Severity: Medium
RHEL 8 must block unauthorized peripherals before establishing a connection.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required.
2
Rule
Severity: Medium
RHEL 8 must have the USBGuard installed.
2
Rule
Severity: Medium
RHEL 8 must enable the USBGuard.
2
Rule
Severity: Medium
RHEL 9 file system automount function must be disabled unless required.
4
Rule
Severity: Medium
The SUSE operating system must disable the USB mass storage kernel module.
4
Rule
Severity: Medium
The SUSE operating system must disable the file system automounter unless required.
2
Rule
Severity: Medium
RHEL 9 must disable the graphical user interface automount function unless required.
2
Rule
Severity: Medium
RHEL 9 must prevent a user from overriding the disabling of the graphical user interface automount function.
2
Rule
Severity: Medium
RHEL 9 must prevent a user from overriding the disabling of the graphical user interface autorun function.
2
Rule
Severity: Medium
RHEL 9 must be configured to disable USB mass storage.
2
Rule
Severity: Medium
RHEL 9 must have the USBGuard package installed.
2
Rule
Severity: Medium
RHEL 9 must have the USBGuard package enabled.
2
Rule
Severity: Medium
RHEL 9 must block unauthorized peripherals before establishing a connection.
2
Rule
Severity: Medium
The VMM must authenticate peripherals before establishing a connection.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must disable automatic mounting of Universal Serial Bus (USB) mass storage driver.
1
Rule
Severity: Medium
The F5 BIG-IP must be configured to identify and authenticate all endpoint devices or peers before establishing a connection.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to authenticate each Voice Video Endpoint device before registration.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Session Manager must be configured to authenticate each Voice Video peer (trunk) before registration.
1
Rule
Severity: Medium
SLEM 5 must disable the USB mass storage kernel module.
1
Rule
Severity: Medium
TOSS must be configured to disable USB mass storage.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules