CCI-002314

Install firewalld Package

Verify firewalld Enabled

Verify ufw Enabled

Configure the Firewalld Ports

Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems

Install SuSEfirewall2 Package

Install ufw Package

Compliance Guardian must control remote access methods.

The Apache web server must restrict inbound connections from nonsecure zones.

The ALG providing intermediary services for remote access communications traffic must control remote access methods.

The application server must control remote access methods.

DocAve must control remote access methods.

The CA API Gateway providing intermediary services for remote access communications traffic must control remote access methods.

DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.

Application security must be enabled on the WebSphere Liberty Server.

The WebSphere Application Server administrative security must be enabled.

The WebSphere Application Server users in a local user registry group must be authorized for that group.

Nutanix AOS must control remote access methods.

Nutanix AOS must disable Remote Support Sessions.

Remote access to OHS must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.

OHS must have the Order, Allow, and Deny directives set within the Directory directives set to restrict inbound connections from nonsecure zones.

OHS must have the Order, Allow, and Deny directives set within the Files directives set to restrict inbound connections from nonsecure zones.

OHS must have the Order, Allow, and Deny directives set within the Location directives set to restrict inbound connections from nonsecure zones.

Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a pre-shared key.

Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The VPN Gateway must be configured to perform an organization-defined action if the audit reveals unauthorized activity.

LockOutRealms must be used for management of Tomcat.

Apple iOS/iPadOS 17 must implement the management setting: Disable Allow MailDrop.

Apple iOS/iPadOS 16 must implement the management setting: Disable Allow MailDrop.

The Ubuntu operating system must have an application firewall installed in order to control remote access methods.

The Ubuntu operating system must enable and run the uncomplicated firewall(ufw).

The operating system must control remote access methods.

SSMC web server must restrict connections from nonsecure zones.

The HPE 3PAR OS must be configured to restrict the encryption algorithms and protocols to comply with DOD-approved encryption to protect the confidentiality and integrity of remote access sessions.

AIX must be able to control the ability of remote login for users.

IBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.

IBM z/OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments.

The ICS must be configured to generate log records containing sufficient information about where, when, identity, source, or outcome of the events.

The IIS 10.0 web server must restrict inbound connections from non-secure zones.

The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.

The "Deny log on through Remote Desktop Services" user right on Windows 11 workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems.

The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.

The "Deny log on through Remote Desktop Services" user right on member servers must be configured to prevent access from highly privileged domain accounts and all local accounts on domain systems and from unauthenticated access on all systems.

Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.

Windows Server 2019 "Deny log on through Remote Desktop Services" user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.

Windows Server 2022 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access.

Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems.

The Oracle Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.

An OL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

A firewall must be installed on OL 8.

A firewall must be active on OL 8.

The Palo Alto Networks security platform, if used as a TLS gateway/decryption point or VPN concentrator, must control remote access methods (inspect and filter traffic).

The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments.

A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems.

A firewall must be installed on RHEL 8.

A firewall must be active on RHEL 8.

RHEL 9 must have the firewalld package installed.

The firewalld service on RHEL 9 must be active.

RHEL 9 must control remote access methods.

The SUSE operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key.

Samsung Android must be configured to enable authentication of personal hotspot connections to the device using a preshared key. - Disallow config tethering.

The VMM must control remote access methods.

The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH).

VAMI must use cryptography to protect the integrity of remote sessions.

Envoy must exclusively use the HTTPS protocol for client connections.

The vCenter VAMI service must use cryptography to protect the integrity of remote sessions.

Remote access to the web server must follow access policy or work in conjunction with enterprise tools designed to enforce policy requirements.

The web server must restrict inbound connections from nonsecure zones.

The BIG-IP APM module access policy profile must control remote access methods to virtual servers.

The BIG-IP Core implementation providing intermediary services for remote access communications traffic must control remote access methods to virtual servers.

Ubuntu 22.04 LTS must have an application firewall installed in order to control remote access methods.

Ubuntu 22.04 LTS must enable and run the Uncomplicated Firewall (ufw).

Google Android 15 must be configured to enable authentication of personal hotspot connections to the device using a preshared key.

SLEM 5 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments.

A firewall must be installed on TOSS.

Apple iOS/iPadOS 18 must implement the management setting: disable Allow MailDrop.