Security Hardening
-
TNS OpenStack Dashboard/Horizon Security Guide
- All associated application files - 'Verify permissions'
- cman.ora - 'remote_admin = NO'
- Encryption - 'Use a procedure that employs a content data element as the encryption key that is unique for each record.'
- Encryption - 'Use RAW or BLOB for the storage of encrypted data'
- init.ora - 'audit_sys_operations = TRUE'
- init.ora - 'db_securefile = ALWAYS'
-
TNS NetApp Data ONTAP 7G Best Practices
- Autologout - 'autologout.console.enable = on'
- Autologout - 'autologout.console.timeout <= 5'
- Disable Unnecessary Services - 'rsh.access != legacy'
- Disable Unnecessary Services - 'telnet.access != legacy'
- Disable/Modify Default Accts - 'alternate admin account has been created (root)'
- Disable/Modify Default Accts - 'alternate admin account has been created (snmp)'
-
TNS Huawei VRP Best Practices
- Huawei: Command Levels Not Changed
- Huawei: Configure appropriate External Syslog server
- Huawei: Configure appropriate NTP server
- Huawei: Device clock = UTC
- Huawei: Device clock disable DST adjustment
- Huawei: Disable FTP IPV4
-
TNS HP ProCurve Best Practices
- HP ProCurve - 'Configure login attempts'
- HP ProCurve - 'Configure Management VLAN'
- HP ProCurve - 'Disable HTTP'
- HP ProCurve - 'Disable IP Stack Management'
- HP ProCurve - 'Disable SNMPv2'
- HP ProCurve - 'Disable Telnet'
-
TNS Fortigate FortiOS Best Practices v2.0.0
- Fortigate - AAA - LDAP server is trusted
- Fortigate - AAA - RADIUS server is trusted
- Fortigate - AAA - TACACS+ server is trusted
- Fortigate - Admin access - trusted hosts
- Fortigate - Admin password lockout >= 300 seconds
- Fortigate - Admin password lockout threshold - '1-3'
-
TNS Fortigate Best Practices v2.0.0
-
TNS ExtremeXOS Best Practice
- Extreme : Configure Banner before-login
- Extreme : Configure idletimeout <= 15
- Extreme : Configure max-failed-logins <= 3
- Extreme : Configure Remote Syslog
- Extreme : Configure timezone = UTC
- Extreme : Device Info
-
TNS BestPractice FireEye
- FireEye - A scheduled system backup job is configured
- FireEye - AAA failed logins are tracked
- FireEye - AAA is enabled
- FireEye - AAA LDAP binding user should not be an admin
- FireEye - AAA lockout settings apply to the 'admin' user
- FireEye - AAA lockouts are enabled
-
TNS BestPractice Citrix XenServer
- XenServer - Administrative actions are logged
- XenServer - All network interfaces are operating in full-duplex mode
- XenServer - Auto-start is not enabled
- XenServer - Disable promiscuous mode on all network interfaces
- XenServer - Disallow unplug detection on the storage network interface
- XenServer - Enable only necessary and secure services, protocols, daemons - 'lwsmd'
-
TNS BestPractice Citrix Hypervisor
- Administrative actions are logged
- All network interfaces are operating in full-duplex mode
- Auto-start is not enabled
- Disable promiscuous mode on all network interfaces
- Disallow unplug detection on the storage network interface
- Enable only necessary and secure services, protocols, daemons - 'lwsmd'
-
TNS Best Practices WatchGuard
- WatchGuard : Authentication Settings - 'Authentication User Session Timeout'
- WatchGuard : Authentication Settings - 'Authentication User Timeout'
- WatchGuard : Authentication Settings - 'Management User Idle Timeout'
- WatchGuard : Authentication Settings - 'Management User Session Timeout'
- WatchGuard : Data Loss Prevention Signature Update - 'Enabled'
- WatchGuard : DDoS Prevention - Distributed Denial-of-Service Prevention - Per Client Quota
-
TNS Best Practices SonicWALL 5.9
- SonicWALL - AAA - LDAP server is trusted
- SonicWALL - AAA - RADIUS server is trusted
- SonicWALL - Anti-Spyware - DMZ
- SonicWALL - Anti-Spyware - LAN
- SonicWALL - Anti-Spyware - WAN
- SonicWALL - Anti-Spyware - WLAN
-
TNS Best Practices Jetty 9 v1.0.0
- - Management IP - .htacess exists
- - Management IP - review $jetty_home/contexts xml file
- access Control - JAAS
- access Control - security Realms
- Authentication
- configure log file size limit - org.eclipse.jetty.server.handler.RequestLogHandler
-
TNS Best Practice WatchGuard 1.0.0
- WatchGuard : ICMP Error Handling - 'host-unreachable'
- WatchGuard : ICMP Error Handling - 'network-unreachable'
- WatchGuard : ICMP Error Handling - 'pmtu-discovery'
- WatchGuard : ICMP Error Handling - 'port-unreachable'
- WatchGuard : ICMP Error Handling - 'protocol-unreachable'
- WatchGuard : ICMP Error Handling - 'time-exceeded'
-
TNS Best Practice RedHat JBoss v7 Linux
-
TNS Best Practice JBoss 7 Linux
- Audit logging - handler
- Audit logging - Logger
- Authentication
- Cluster Authentication
- Deployment Scanner
- Disable stacktrace in response body
-
TNS Alcatel-Lucent TiMOS/Nokia SR-OS Best Practice
- ACLs: Filter for RFC 1918 addresses (10.0.0.0/8)
- ACLs: Filter for RFC 1918 addresses (172.16.0.0/12)
- ACLs: Filter for RFC 1918 addresses (192.168.0.0/16)
- ACLs: Filter for RFC 3330 addresses (0.0.0.0/8)
- ACLs: Filter for RFC 3330 addresses (127.0.0.0/8)
- ACLs: Filter for RFC 3330 addresses (169.254.0.0/16)
-
TNS Alcatel Nokia TiMOS Best Practices
-
TNS Adtran AOS Best Practices
- Adtran : Device Info
- Adtran : Device Version
- Adtran : Disable FTP
- Adtran : Disable SSID Broadcast
- Adtran : Disable SSLv2
- Adtran : Disable Telnet
-
Tenable ZTE ROSNG Best Practices
- Account Anti-riot Attack
- Authentication and Verification of ISIS Routing Protocols - authentication
- Authentication and Verification of OSPF Routing Protocols - authentication message-digest
- Authentication and Verification of OSPF Routing Protocols - message-digest-key
- Disable the IP Unreachable Function
- Disable the Proxy ARP Function - a) No proxy
-
Tenable RedHat Enterprise Virtualization Best Practices
- RHEV: Administrative Roles
- RHEV: All VMs
- RHEV: Clusters
- RHEV: Clusters Memory Balooning
- RHEV: Datacenters
- RHEV: Disks
-
Tenable F5 BIG-IP Best Practice
- Configuring a pre-login or post-login message banner for the BIG-IP or Enterprise Manager system - Banner Enabled
- Configuring a pre-login or post-login message banner for the BIG-IP or Enterprise Manager system - Banner Text
- Configuring a secure password policy for the BIG-IP system - Expiration Warning
- Configuring a secure password policy for the BIG-IP system - Maximum Duration
- Configuring a secure password policy for the BIG-IP system - Maximum Login Failures
- Configuring a secure password policy for the BIG-IP system - Minimum Duration
-
Tenable Cisco Firepower Threat Defense Best Practices
- Ensure 'aaa local authentication max failed attempts' is set to your organization's poicy
- Ensure 'console session timeout' is set to organizational policy
- Ensure 'EIGRP authentication' is enabled
- Ensure 'Failover' is enabled
- Ensure 'Host Name' is set
- Ensure 'HTTP session timeout' is set to organzational policy
-
Tenable Cisco Firepower Best Practices
- Ensure 'aaa local authentication max failed attempts' is set to less than or equal to '3'
- Ensure 'console session timeout' is less than or equal to '5' minutes
- Ensure 'EIGRP authentication' is enabled
- Ensure 'Failover' is enabled
- Ensure 'Host Name' is set
- Ensure 'HTTP source restriction' is set to an authorized IP address
-
Tenable Cisco Firepower Management Center OS Best Practices
- Audit SGID executables
- Audit SUID executables
- Audit system file permissions - dpkg
- Audit system file permissions - rpm
- Audit system file permissions - zypper
- chrony is not installed - NTP server
-
Tenable Best Practices F5 BIG-IP v1.0.0
-
Tenable Best Practices Cisco ACI v1.0.0
- Console Authentication Realm
- Default Authentication Realm
- DNS Profile - Address - DNS Server 1
- DNS Profile - Address - DNS Server 2
- Enforce Password Change Interval
- Fabric Security - Policy - FIPS Mode
-
Tenable Best Practices Brocade FabricOS
- Brocade - administrator account is enabled with admin role assigned
- Brocade - All audit severity level must be audited
- Brocade - Authentication policy must be rejected
- Brocade - Banner Text
- Brocade - Bottleneck alerts must be enabled
- Brocade - Bottleneck detection must be enabled
-
Tenable Best Practice Citrix ADM v1.0.0
- Citrix ADM - NTP - Authentication
- Citrix ADM - NTP - Servers count
- Citrix ADM - NTP - Synchronization
- Citrix ADM - SSL - Settings - SSL v3
- Citrix ADM - SSL - Settings - TLS v1
- Citrix ADM - SSL - Settings - TLSv1.1
-
Tenable Best Practice Citrix ADC v1.0.0
- Citrix ADC - ARP - Spoofing
- Citrix ADC - NTP - Authentication
- Citrix ADC - NTP - Servers count
- Citrix ADC - NTP - Synchronization
- Citrix ADC - SNMP - Community names
- Citrix ADC - System Parameters - Allow Default Partition
-
Oracle WebLogic Server 12c Windows v2r1
- WBLC-01-000009 - Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions - SSL Listen Port
- WBLC-01-000009 - Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions - Unsecure Listen Port
- WBLC-01-000010 - Oracle WebLogic must use cryptography to protect the integrity of the remote access session - SSL Listen Port
- WBLC-01-000010 - Oracle WebLogic must use cryptography to protect the integrity of the remote access session - Unsecure Listen Port
- WBLC-01-000011 - Oracle WebLogic must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
- WBLC-01-000013 - Oracle WebLogic must ensure remote sessions for accessing security functions and security-relevant information are audited.
-
Oracle WebLogic Server 12c Linux v2r1 Middleware
- WBLC-01-000009 - Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions - SSL Listen Port
- WBLC-01-000009 - Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions - Unsecure Listen Port
- WBLC-01-000010 - Oracle WebLogic must use cryptography to protect the integrity of the remote access session - SSL Listen Port
- WBLC-01-000010 - Oracle WebLogic must use cryptography to protect the integrity of the remote access session - Unsecure Listen Port
- WBLC-01-000011 - Oracle WebLogic must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
- WBLC-01-000013 - Oracle WebLogic must ensure remote sessions for accessing security functions and security-relevant information are audited.
-
Oracle WebLogic Server 12c Linux v2r1
- WBLC-01-000009 - Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions - SSL Listen Port
- WBLC-01-000009 - Oracle WebLogic must utilize cryptography to protect the confidentiality of remote access management sessions - Unsecure Listen Port
- WBLC-01-000010 - Oracle WebLogic must use cryptography to protect the integrity of the remote access session - SSL Listen Port
- WBLC-01-000010 - Oracle WebLogic must use cryptography to protect the integrity of the remote access session - Unsecure Listen Port
- WBLC-01-000011 - Oracle WebLogic must employ automated mechanisms to facilitate the monitoring and control of remote access methods.
- WBLC-01-000013 - Oracle WebLogic must ensure remote sessions for accessing security functions and security-relevant information are audited.
-
NIST macOS Monterey v1.0.0 - CNSSI 1253
- Monterey - Allow Smartcard Authentication
- Monterey - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Monterey - Automatically Remove or Disable Emergency Accounts within 72 Hours
- Monterey - Automatically Remove or Disable Temporary User Accounts within 72 Hours
- Monterey - Configure Audit Log Files Group to Wheel
- Monterey - Configure Audit Log Files to be Owned by Root
-
NIST macOS Monterey v1.0.0 - All Profiles
- Monterey - Access Control for Mobile Devices
- Monterey - Alert Audit Processing Failure
- Monterey - Allow Administrators to Modify Security Settings and System Attributes
- Monterey - Allow Administrators to Promote Other Users to Administrator Status
- Monterey - Allow Information Transfer with Other Operating Systems
- Monterey - Allow Smartcard Authentication
-
NIST macOS Monterey v1.0.0 - 800-53r5 Moderate
- Monterey - Access Control for Mobile Devices
- Monterey - Allow Smartcard Authentication
- Monterey - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Monterey - Audit Record Reduction and Report Generation - processing
- Monterey - Audit Record Reduction and Report Generation - reduction
- Monterey - Automatically Remove or Disable Emergency Accounts within 72 Hours
-
NIST macOS Monterey v1.0.0 - 800-53r5 Low
- Monterey - Access Control for Mobile Devices
- Monterey - Allow Smartcard Authentication
- Monterey - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Monterey - Configure Audit Failure Notification
- Monterey - Configure Audit Log Files Group to Wheel
- Monterey - Configure Audit Log Files to be Owned by Root
-
NIST macOS Monterey v1.0.0 - 800-53r5 High
- Monterey - Access Control for Mobile Devices
- Monterey - Allow Smartcard Authentication
- Monterey - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Monterey - Audit Record Reduction and Report Generation - processing
- Monterey - Audit Record Reduction and Report Generation - reduction
- Monterey - Automatically Remove or Disable Emergency Accounts within 72 Hours
-
NIST macOS Monterey v1.0.0 - 800-53r4 Moderate
- Monterey - Allow Smartcard Authentication
- Monterey - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Monterey - Automatically Remove or Disable Emergency Accounts within 72 Hours
- Monterey - Automatically Remove or Disable Temporary or Emergency User Accounts within 72 Hours
- Monterey - Automatically Remove or Disable Temporary User Accounts within 72 Hours
- Monterey - Configure Audit Log Files Group to Wheel
-
NIST macOS Monterey v1.0.0 - 800-53r4 Low
- Monterey - Allow Smartcard Authentication
- Monterey - Configure Audit Log Files Group to Wheel
- Monterey - Configure Audit Log Files to be Owned by Root
- Monterey - Configure Audit Log Files to Mode 440 or Less Permissive
- Monterey - Configure Audit Log Files to Not Contain Access Control Lists
- Monterey - Configure Audit Log Folder to Not Contain Access Control Lists
-
NIST macOS Monterey v1.0.0 - 800-53r4 High
- Monterey - Allow Smartcard Authentication
- Monterey - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Monterey - Audit Record Reduction and Report Generation - processing
- Monterey - Audit Record Reduction and Report Generation - reduction
- Monterey - Automatically Remove or Disable Emergency Accounts within 72 Hours
- Monterey - Automatically Remove or Disable Temporary or Emergency User Accounts within 72 Hours
-
NIST macOS Monterey v1.0.0 - 800-171
- Monterey - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Monterey - Configure Audit Failure Notification
- Monterey - Configure Audit Log Files Group to Wheel
- Monterey - Configure Audit Log Files to be Owned by Root
- Monterey - Configure Audit Log Files to Mode 440 or Less Permissive
- Monterey - Configure Audit Log Files to Not Contain Access Control Lists
-
NIST macOS Catalina v1.5.0 - CNSSI 1253
- Catalina - Allow Smartcard Authentication
- Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Catalina - Automatically Remove or Disable Emergency Accounts within 72 Hours
- Catalina - Automatically Remove or Disable Temporary User Accounts within 72 Hours
- Catalina - Configure Audit Log Files Group to Wheel
- Catalina - Configure Audit Log Files to be Owned by Root
-
NIST macOS Catalina v1.5.0 - All Profiles
- Catalina - Access Control for Mobile Devices
- Catalina - Alert Audit Processing Failure
- Catalina - Allow Administrators to Modify Security Settings and System Attributes
- Catalina - Allow Administrators to Promote Other Users to Administrator Status
- Catalina - Allow Information Transfer with Other Operating Systems
- Catalina - Allow Smartcard Authentication
-
NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
- Catalina - Access Control for Mobile Devices
- Catalina - Allow Smartcard Authentication
- Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Catalina - Audit Record Reduction and Report Generation - processing
- Catalina - Audit Record Reduction and Report Generation - reduction
- Catalina - Automatically Remove or Disable Emergency Accounts within 72 Hours
-
NIST macOS Catalina v1.5.0 - 800-53r5 Low
- Catalina - Access Control for Mobile Devices
- Catalina - Allow Smartcard Authentication
- Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Catalina - Configure Audit Failure Notification
- Catalina - Configure Audit Log Files Group to Wheel
- Catalina - Configure Audit Log Files to be Owned by Root
-
NIST macOS Catalina v1.5.0 - 800-53r5 High
- Catalina - Access Control for Mobile Devices
- Catalina - Allow Smartcard Authentication
- Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Catalina - Audit Record Reduction and Report Generation - processing
- Catalina - Audit Record Reduction and Report Generation - reduction
- Catalina - Automatically Remove or Disable Emergency Accounts within 72 Hours
-
NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
- Catalina - Allow Smartcard Authentication
- Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Catalina - Automatically Remove or Disable Emergency Accounts within 72 Hours
- Catalina - Automatically Remove or Disable Temporary User Accounts within 72 Hours
- Catalina - Configure Audit Log Files Group to Wheel
- Catalina - Configure Audit Log Files to be Owned by Root
-
NIST macOS Catalina v1.5.0 - 800-53r4 Low
- Catalina - Allow Smartcard Authentication
- Catalina - Configure Audit Log Files Group to Wheel
- Catalina - Configure Audit Log Files to be Owned by Root
- Catalina - Configure Audit Log Files to Mode 440 or Less Permissive
- Catalina - Configure Audit Log Files to Not Contain Access Control Lists
- Catalina - Configure Audit Log Folder to Not Contain Access Control Lists
-
NIST macOS Catalina v1.5.0 - 800-53r4 High
- Catalina - Allow Smartcard Authentication
- Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Catalina - Audit Record Reduction and Report Generation - processing
- Catalina - Audit Record Reduction and Report Generation - reduction
- Catalina - Automatically Remove or Disable Emergency Accounts within 72 Hours
- Catalina - Automatically Remove or Disable Temporary User Accounts within 72 Hours
-
NIST macOS Catalina v1.5.0 - 800-171
- Catalina - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Catalina - Configure Audit Failure Notification
- Catalina - Configure Audit Log Files Group to Wheel
- Catalina - Configure Audit Log Files to be Owned by Root
- Catalina - Configure Audit Log Files to Mode 440 or Less Permissive
- Catalina - Configure Audit Log Files to Not Contain Access Control Lists
-
NIST macOS Big Sur v1.4.0 - CNSSI 1253
- Big Sur - Allow Smartcard Authentication
- Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Big Sur - Automatically Remove or Disable Emergency Accounts within 72 Hours
- Big Sur - Automatically Remove or Disable Temporary User Accounts within 72 Hours
- Big Sur - Configure Audit Log Files Group to Wheel
- Big Sur - Configure Audit Log Files to be Owned by Root
-
NIST macOS Big Sur v1.4.0 - All Profiles
- Big Sur - Access Control for Mobile Devices
- Big Sur - Alert Audit Processing Failure
- Big Sur - Allow Administrators to Modify Security Settings and System Attributes
- Big Sur - Allow Administrators to Promote Other Users to Administrator Status
- Big Sur - Allow Information Transfer with Other Operating Systems
- Big Sur - Allow Smartcard Authentication
-
NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
- Big Sur - Access Control for Mobile Devices
- Big Sur - Allow Smartcard Authentication
- Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Big Sur - Audit Record Reduction and Report Generation - processing
- Big Sur - Audit Record Reduction and Report Generation - reduction
- Big Sur - Automatically Remove or Disable Emergency Accounts within 72 Hours
-
NIST macOS Big Sur v1.4.0 - 800-53r5 Low
- Big Sur - Access Control for Mobile Devices
- Big Sur - Allow Smartcard Authentication
- Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Big Sur - Configure Audit Failure Notification
- Big Sur - Configure Audit Log Files Group to Wheel
- Big Sur - Configure Audit Log Files to be Owned by Root
-
NIST macOS Big Sur v1.4.0 - 800-53r5 High
- Big Sur - Access Control for Mobile Devices
- Big Sur - Allow Smartcard Authentication
- Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Big Sur - Audit Record Reduction and Report Generation - processing
- Big Sur - Audit Record Reduction and Report Generation - reduction
- Big Sur - Automatically Remove or Disable Emergency Accounts within 72 Hours
-
NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
- Big Sur - Allow Smartcard Authentication
- Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Big Sur - Automatically Remove or Disable Emergency Accounts within 72 Hours
- Big Sur - Automatically Remove or Disable Temporary or Emergency User Accounts within 72 Hours
- Big Sur - Automatically Remove or Disable Temporary User Accounts within 72 Hours
- Big Sur - Configure Audit Log Files Group to Wheel
-
NIST macOS Big Sur v1.4.0 - 800-53r4 High
- Big Sur - Allow Smartcard Authentication
- Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Big Sur - Audit Record Reduction and Report Generation - processing
- Big Sur - Audit Record Reduction and Report Generation - reduction
- Big Sur - Automatically Remove or Disable Emergency Accounts within 72 Hours
- Big Sur - Automatically Remove or Disable Temporary or Emergency User Accounts within 72 Hours
-
NIST macOS Big Sur v1.4.0 - 800-53r4 Low
- Big Sur - Allow Smartcard Authentication
- Big Sur - Configure Audit Log Files Group to Wheel
- Big Sur - Configure Audit Log Files to be Owned by Root
- Big Sur - Configure Audit Log Files to Mode 440 or Less Permissive
- Big Sur - Configure Audit Log Files to Not Contain Access Control Lists
- Big Sur - Configure Audit Log Folder to Not Contain Access Control Lists
-
NIST macOS Big Sur v1.4.0 - 800-171
- Big Sur - Apply Gatekeeper Settings to Block Applications from Unidentified Developers
- Big Sur - Configure Audit Failure Notification
- Big Sur - Configure Audit Log Files Group to Wheel
- Big Sur - Configure Audit Log Files to be Owned by Root
- Big Sur - Configure Audit Log Files to Mode 440 or Less Permissive
- Big Sur - Configure Audit Log Files to Not Contain Access Control Lists
-
MSCT Windows Server v20H2 MS v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows Server v20H2 DC v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows Server v2004 MS v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows Server v1909 MS v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows Server v2004 DC v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows Server v1909 DC v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows Server 2019 MS v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Guest account status
-
MSCT Windows Server 2019 DC v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows Server 2016 MS v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Guest account status
-
MSCT Windows Server 2016 DC v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows Server 2012 R2 MS v1.0.0
- Access Credential Manager as a trusted caller
- Access this computer from the network
- Account lockout duration
- Account lockout threshold
- Accounts: Guest account status
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows Server 2012 R2 DC v1.0.0
- Access Credential Manager as a trusted caller
- Access this computer from the network
- Account lockout duration
- Account lockout threshold
- Accounts: Limit local account use of blank passwords to console logon only
- Act as part of the operating system
-
MSCT Windows Server 1903 MS v1.19.9
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows Server 1903 DC v1.19.9
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows 10 v21H2 v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows 10 v20H2 v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows 10 v2004 v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows 10 v1507 v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Account lockout threshold
-
MSCT Windows 10 1909 v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows 10 1903 v1.19.9
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Limit local account use of blank passwords to console logon only
-
MSCT Windows 10 1809 v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Accounts: Administrator account status
-
MSCT Windows 10 1803 v1.0.0
- Access Credential Manager as a trusted caller
- Access data sources across domains - Internet Zone
- Access data sources across domains - Restricted Sites Zone
- Access this computer from the network
- Account lockout duration
- Account lockout threshold
-
MSCT Office 365 ProPlus 1908 v1.0.0
- ActiveX Control Initialization
- Add-on Management - groove.exe
- Add-on Management - msaccess.exe
- Add-on Management - mse7.exe
- Add-on Management - mspub.exe
- Add-on Management - onenote.exe
-
DISA Windows Server 2012 and 2012 R2 MS STIG v3r3
- WN12-00-000007 - Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
- WN12-00-000011 - Windows 2012/2012 R2 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization.
- WN12-00-000017 - System-related documentation must be backed up in accordance with local recovery time and recovery point objectives.
- WN12-00-000018 - The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
- WN12-00-000019 - Protection methods such as TLS, encrypted VPNs, or IPSEC must be implemented if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process.
- WN12-00-000020 - Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
-
DISA Windows Server 2012 and 2012 R2 DC STIG v3r3
- WN12-00-000001 - Server systems must be located in a controlled access area, accessible only to authorized personnel.
- WN12-00-000004 - Users with administrative privilege must be documented.
- WN12-00-000005 - Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks.
- WN12-00-000006 - Policy must require that system administrators (SAs) be trained for the operating systems used by systems under their control.
- WN12-00-000007 - Windows 2012/2012 R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization.
- WN12-00-000008 - Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email.
-
DISA Windows 10 STIG v2r3
- DISA_STIG_Windows_10_v2r3.audit from DISA Microsoft Windows 10 v2r3 STIG
- WN10-00-000005 - Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version - 64-bit
- WN10-00-000005 - Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.
- WN10-00-000010 - Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use - TPM enabled and ready for use.
- WN10-00-000015 - Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS.
- WN10-00-000020 - Secure Boot must be enabled on Windows 10 systems.
-
DISA Symantec ProxySG Benchmark NDM v1r2
- SYMP-NM-000010 - Symantec ProxySG must be configured with only one local account that is used as the account of last resort.
- SYMP-NM-000020 - Symantec ProxySG must be configured to enforce user authorization to implement least privilege.
- SYMP-NM-000030 - Symantec ProxySG must configure Web Management Console access restrictions to authorized IP address/ranges.
- SYMP-NM-000040 - Symantec ProxySG must be configured to enforce assigned privilege levels for approved administrators when accessing the management console, SSH, and the command line interface (CLI).
- SYMP-NM-000050 - Symantec ProxySG must be configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period - Lockout duration
- SYMP-NM-000050 - Symantec ProxySG must be configured to enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period - max-failed-attempts
-
DISA Symantec ProxySG Benchmark ALG v1r3
- SYMP-AG-000010 - If Symantec ProxySG filters externally initiated traffic, reverse proxy services must be configured.
- SYMP-AG-000020 - Symantec ProxySG providing intermediary services for remote access communications traffic must ensure outbound traffic is monitored for compliance with remote access security policies.
- SYMP-AG-000030 - Symantec ProxySG providing forward proxy intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52 - client.connection.negotiated_cipher
- SYMP-AG-000030 - Symantec ProxySG providing forward proxy intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52 - client.connection.negotiated_ssl_version
- SYMP-AG-000030 - Symantec ProxySG providing forward proxy intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52 - server.connection.negotiated_cipher
- SYMP-AG-000030 - Symantec ProxySG providing forward proxy intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52 - server.connection.negotiated_ssl_version
-
DISA STIG Windows Defender Antivirus v2r3
- WNDF-AV-000001 - Windows Defender AV must be configured to block the Potentially Unwanted Application (PUA) feature - PUA feature.
- WNDF-AV-000003 - Windows Defender AV must be configured to automatically take action on all detected tasks.
- WNDF-AV-000004 - Windows Defender AV must be configured to run and scan for malware and other potentially unwanted software.
- WNDF-AV-000005 - Windows Defender AV must be configured to not exclude files for scanning.
- WNDF-AV-000006 - Windows Defender AV must be configured to not exclude files opened by specified processes.
- WNDF-AV-000007 - Windows Defender AV must be configured to enable the Automatic Exclusions feature.
-
DISA STIG VMware vSphere Virtual Machine 6.x v1r1
- VMCH-06-000001 - The system must explicitly disable copy operations.
- VMCH-06-000002 - The system must explicitly disable drag and drop operations.
- VMCH-06-000003 - The system must explicitly disable any GUI functionality for copy/paste operations.
- VMCH-06-000004 - The system must explicitly disable paste operations.
- VMCH-06-000005 - The system must disable virtual disk shrinking.
- VMCH-06-000006 - The system must disable virtual disk erasure.
-
DISA STIG VMware vSphere Virtual Machine 6.5 v2r1
- DISA_STIG_VMware_vSphere_Virtual_Machine_6.5_v2r1.audit from DISA VMware vSphere 6.5 Virtual Machine v2r1 STIG
- VMCH-65-000001 - Copy operations must be disabled on the virtual machine.
- VMCH-65-000002 - Drag and drop operations must be disabled on the virtual machine.
- VMCH-65-000003 - GUI functionality for copy/paste operations must be disabled on the virtual machine.
- VMCH-65-000004 - Paste operations must be disabled on the virtual machine.
- VMCH-65-000005 - Virtual disk shrinking must be disabled on the virtual machine.
-
DISA STIG VMware vSphere vCenter 6.x v1r4
- VCWN-06-000001 - The system must prohibit password reuse for a minimum of five generations.
- VCWN-06-000002 - The system must not automatically refresh client sessions.
- VCWN-06-000003 - The system must enforce a 60-day maximum password lifetime restriction.
- VCWN-06-000004 - The system must terminate management sessions after 10 minutes of inactivity.
- VCWN-06-000005 - The vCenter Server users must have the correct roles assigned.
- VCWN-06-000007 - The system must limit the effects of information-flooding types of Denial of Service (DoS) attacks.
-
DISA STIG VMware vSphere vCenter 6.5 v2r2
- DISA_STIG_VMware_vSphere_vCenter_6.5_v2r2.audit from DISA VMW vSphere 6.5 vCenter Server for Windows v2r2 STIG
- VCWN-65-000001 - The vCenter Server for Windows must prohibit password reuse for a minimum of five generations.
- VCWN-65-000002 - The vCenter Server for Windows must not automatically refresh client sessions.
- VCWN-65-000003 - The vCenter Server for Windows must enforce a 60-day maximum password lifetime restriction.
- VCWN-65-000004 - The vCenter Server for Windows must terminate management sessions after 10 minutes of inactivity.
- VCWN-65-000005 - The vCenter Server for Windows users must have the correct roles assigned.
-
DISA STIG VMware vSphere ESXi OS 6.5 v2r3
- DISA_STIG_VMware_vSphere_ESXi_6.5_Bare_Metal_Host_v2r3.audit from DISA VMware vSphere 6.5 ESXi v2r3 STIG
- ESXI-65-000009 - The ESXi host SSH daemon must be configured with the Department of Defense (DoD) login banner.
- ESXI-65-000010 - The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.
- ESXI-65-000011 - The ESXi host SSH daemon must be configured to use only the SSHv2 protocol.
- ESXI-65-000012 - The ESXi host SSH daemon must ignore .rhosts files.
- ESXI-65-000013 - The ESXi host SSH daemon must not allow host-based authentication.
-
DISA STIG VMware vSphere 6.x ESXi v1r5
- ESXI-06-000001 - The VMM must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode.
- ESXI-06-000002 - The system must verify the DCUI.Access list.
- ESXI-06-000003 - The system must verify the exception users list for lockdown mode.
- ESXI-06-000004 - Remote logging for ESXi hosts must be configured.
- ESXI-06-000005 - The system must enforce the limit of three consecutive invalid logon attempts by a user.
- ESXI-06-000006 - The system must enforce the unlock timeout of 15 minutes after a user account is locked out.
-
DISA STIG VMware vSphere ESXi 6.5 v2r3
- DISA_STIG_VMware_vSphere_ESXi_6.5_v2r3.audit from DISA VMware vSphere 6.5 ESXi v2r3 STIG
- ESXI-65-000001 - The ESXi host must limit the number of concurrent sessions to ten for all accounts and/or account types by enabling lockdown mode.
- ESXI-65-000002 - The ESXi host must verify the DCUI.Access list.
- ESXI-65-000003 - The ESXi host must verify the exception users list for lockdown mode.
- ESXI-65-000004 - Remote logging for ESXi hosts must be configured.
- ESXI-65-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
-
DISA STIG VMware vSphere 6.x ESXi OS v1r5
- ESXI-06-000009 - The SSH daemon must be configured with the Department of Defense (DoD) login banner.
- ESXI-06-000010 - The VMM must use DoD-approved encryption to protect the confidentiality of remote access sessions.
- ESXI-06-000011 - The SSH daemon must be configured to use only the SSHv2 protocol.
- ESXI-06-000012 - The SSH daemon must ignore .rhosts files.
- ESXI-06-000013 - The SSH daemon must not allow host-based authentication.
- ESXI-06-000014 - The SSH daemon must not permit root logins.
-
DISA STIG VMware vSphere 6.7 Virtual Machine v1r1
- DISA_STIG_VMware_vSphere_Virtual_Machine_6.7_v1r1.audit from DISA VMware vSphere 6.7 Virtual Machine v1r1 STIG
- VMCH-67-000001 - Copy operations must be disabled on the virtual machine.
- VMCH-67-000002 - Drag and drop operations must be disabled on the virtual machine.
- VMCH-67-000003 - Paste operations must be disabled on the virtual machine.
- VMCH-67-000004 - Virtual disk shrinking must be disabled on the virtual machine.
- VMCH-67-000005 - Virtual disk erasure must be disabled on the virtual machine.
-
DISA STIG VMware vSphere 6.7 Virgo Client v1r1
- VCFL-67-000001 - vSphere Client must limit the amount of time that each TCP connection is kept alive.
- VCFL-67-000002 - vSphere Client must limit the number of concurrent connections permitted.
- VCFL-67-000003 - vSphere Client must limit the maximum size of a POST request.
- VCFL-67-000004 - vSphere Client must protect cookies from XSS.
- VCFL-67-000005 - vSphere Client must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
- VCFL-67-000006 - vSphere Client must be configured to enable SSL/TLS.
-
DISA STIG VMware vSphere 6.7 vCenter v1r1
- DISA_STIG_VMware_vSphere_vCenter_6.7_v1r1.audit from DISA VMware vSphere 6.7 vCenter v1r1 STIG
- VCTR-67-000001 - The vCenter Server must prohibit password reuse for a minimum of five generations.
- VCTR-67-000002 - The vCenter Server must not automatically refresh client sessions.
- VCTR-67-000003 - The vCenter Server must enforce a 60-day maximum password lifetime restriction.
- VCTR-67-000004 - The vCenter Server must terminate management sessions after 10 minutes of inactivity.
- VCTR-67-000005 - The vCenter Server users must have the correct roles assigned.
-
DISA STIG VMware vSphere 6.7 VAMI-lighttpd v1r1
- VCLD-67-000001 - VAMI must limit the number of simultaneous requests.
- VCLD-67-000002 - VAMI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections.
- VCLD-67-000003 - VAMI must use cryptography to protect the integrity of remote sessions.
- VCLD-67-000004 - VAMI must be configured to monitor remote access.
- VCLD-67-000005 - VAMI must generate log records for system startup and shutdown.
- VCLD-67-000006 - VAMI must produce log records containing sufficient information to establish what type of events occurred.
-
DISA STIG VMware vSphere 6.7 STS Tomcat v1r1
- VCST-67-000001 - The Security Token Service must limit the amount of time that each TCP connection is kept alive.
- VCST-67-000002 - The Security Token Service must limit the number of concurrent connections permitted.
- VCST-67-000003 - The Security Token Service must limit the maximum size of a POST request.
- VCST-67-000004 - The Security Token Service must protect cookies from XSS.
- VCST-67-000005 - The Security Token Service must record user access in a format that enables monitoring of remote access.
- VCST-67-000006 - The Security Token Service must generate log records during Java startup and shutdown - .handlers
-
DISA STIG VMware vSphere 6.7 UI Tomcat v1r1
- VCUI-67-000001 - vSphere UI must limit the amount of time that each TCP connection is kept alive.
- VCUI-67-000002 - vSphere UI must limit the number of concurrent connections permitted.
- VCUI-67-000003 - vSphere UI must limit the maximum size of a POST request.
- VCUI-67-000004 - vSphere UI must protect cookies from XSS.
- VCUI-67-000005 - vSphere UI must record user access in a format that enables monitoring of remote access.
- VCUI-67-000006 - vSphere UI must generate log records for system startup and shutdown.
-
DISA STIG VMware vSphere 6.7 RhttpProxy v1r1
- VCRP-67-000001 - The rhttpproxy must drop connections to disconnected clients.
- VCRP-67-000002 - The rhttpproxy must set a limit on established connections.
- VCRP-67-000003 - The rhttpproxy must be configured to operate solely with FIPS ciphers.
- VCRP-67-000004 - The rhttpproxy must use cryptography to protect the integrity of remote sessions.
- VCRP-67-000005 - The rhttpproxy must produce log records containing sufficient information to establish the source of events.
- VCRP-67-000006 - The rhttpproxy must have logging enabled.
-
DISA STIG VMware vSphere 6.7 PostgreSQL v1r1
- VCPG-67-000001 - VMware Postgres must limit the number of connections.
- VCPG-67-000002 - VMware Postgres log files must contain required fields.
- VCPG-67-000003 - VMware Postgres configuration files must not be accessible by unauthorized users.
- VCPG-67-000004 - VMware Postgres must be configured to overwrite older logs when necessary.
- VCPG-67-000005 - VMware Postgres database must protect log files from unauthorized access and modification.
- VCPG-67-000008 - All VCDB tables must be owned by the 'vc' user account - vc user account.
-
DISA STIG VMware vSphere 6.7 Photon OS v1r1
- PHTN-67-000001 - The Photon operating system must audit all account creations - groupadd
- PHTN-67-000001 - The Photon operating system must audit all account creations - useradd
- PHTN-67-000002 - The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.
- PHTN-67-000003 - The Photon operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting SSH access - content
- PHTN-67-000003 - The Photon operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting SSH access - ssh
- PHTN-67-000004 - The Photon operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
-
DISA STIG VMware vSphere 6.7 Perfcharts Tomcat v1r1
- VCPF-67-000001 - Performance Charts must limit the amount of time that each TCP connection is kept alive.
- VCPF-67-000002 - Performance Charts must limit the number of concurrent connections permitted.
- VCPF-67-000003 - Performance Charts must limit the maximum size of a POST request.
- VCPF-67-000004 - Performance Charts must protect cookies from cross-site scripting (XSS).
- VCPF-67-000005 - Performance Charts must record user access in a format that enables monitoring of remote access.
- VCPF-67-000006 - Performance Charts must generate log records for system startup and shutdown.
-
DISA STIG VMware vSphere 6.7 ESXi OS v1r1
- DISA_STIG_VMware_vSphere_ESXi_6.7_Bare_Metal_Host_v1r1.audit from DISA VMware vSphere 6.7 ESXi v1r1 STIG
- ESXI-67-000009 - The ESXi host SSH daemon must be configured with the DoD logon banner - DoD login banner.
- ESXI-67-000010 - The ESXi host SSH daemon must use DoD-approved encryption to protect the confidentiality of remote access sessions.
- ESXI-67-000012 - The ESXi host SSH daemon must ignore .rhosts files.
- ESXI-67-000013 - The ESXi host SSH daemon must not allow host-based authentication.
- ESXI-67-000014 - The ESXi host SSH daemon must not permit root logins.
-
DISA STIG VMware vSphere 6.7 ESXi v1r1
- DISA_STIG_VMware_vSphere_ESXi_6.7_v1r1.audit from DISA VMware vSphere 6.7 ESXi v1r1 STIG
- ESXI-67-000001 - Access to the ESXi host must be limited by enabling Lockdown Mode.
- ESXI-67-000002 - The ESXi host must verify the DCUI.Access list.
- ESXI-67-000003 - The ESXi host must verify the exception users list for Lockdown Mode.
- ESXI-67-000004 - Remote logging for ESXi hosts must be configured.
- ESXI-67-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user.
-
DISA STIG VMware vSphere 6.7 EAM Tomcat v1r1
- VCEM-67-000001 - ESX Agent Manager must limit the amount of time that each TCP connection is kept alive.
- VCEM-67-000002 - ESX Agent Manager must limit the number of concurrent connections permitted.
- VCEM-67-000003 - ESX Agent Manager must limit the maximum size of a POST request.
- VCEM-67-000004 - ESX Agent Manager must protect cookies from XSS.
- VCEM-67-000005 - ESX Agent Manager must record user access in a format that enables monitoring of remote access.
- VCEM-67-000006 - ESX Agent Manager must generate log records for system startup and shutdown.
-
DISA STIG VMWare ESXi vCenter 5 STIG v2r1
- VCENTER-000003 - The VMware Update Manager must not be configured to manage its own VM or the VM of its vCenter Server.
- VCENTER-000005 - Privilege re-assignment must be checked after the vCenter Server restarts.
- VCENTER-000006 - The Web datastore browser must be disabled, unless required for normal day-to-day operations.
- VCENTER-000007 - The managed object browser must be disabled, at all times, when not required for the purpose of troubleshooting or maintenance of managed objects.
- VCENTER-000008 - The vCenter Server must be installed using a service account instead of a built-in Windows account.
- VCENTER-000009 - The connectivity between Update Manager and public patch repositories must be restricted by use of a separate Update Manager Download Server.
-
DISA STIG VMWare ESXi Server 5 STIG v2r1
- ESXI5-VMNET-000001 - All dvPortgroup VLAN IDs must be fully documented.
- ESXI5-VMNET-000002 - All dvSwitch Private VLAN IDs must be fully documented.
- ESXI5-VMNET-000003 - All virtual switches must have a clear network label.
- ESXI5-VMNET-000004 - Virtual switch VLANs must be fully documented and have only the required VLANs.
- ESXI5-VMNET-000005 - All vSwitch and VLAN IDs must be fully documented - 'vSwitch labels'
- ESXI5-VMNET-000006 - All IP-based storage traffic must be isolated to a management-only network using a dedicated, physical network adaptor.
-
DISA STIG VMWare ESXi 5 Virtual Machine STIG v2r1
- ESXI5-VM-000001 - The system must control virtual machine access to host resources - 'Memory limit'
- ESXI5-VM-000001 - The system must control virtual machine access to host resources - 'Memory reservation'
- ESXI5-VM-000001 - The system must control virtual machine access to host resources - 'Memory share'
- ESXI5-VM-000002 - The system must disable tools auto install.
- ESXI5-VM-000003 - The system must explicitly disable copy operations.
- ESXI5-VM-000004 - The system must explicitly disable drag and drop operations.
-
DISA STIG Ubuntu 20.04 LTS v1r1
- UBTU-20-010000 - The Ubuntu operating system must provision temporary user accounts with an expiration time of 72 hours or less.
- UBTU-20-010002 - The Ubuntu operating system must enable the graphical user logon banner to display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.
- UBTU-20-010003 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local access to the system via a graphical user logon.
- UBTU-20-010004 - The Ubuntu operating system must retain a user's session lock until that user reestablishes access using established identification and authentication procedures.
- UBTU-20-010005 - The Ubuntu operating system must allow users to directly initiate a session lock for all connection types.
- UBTU-20-010006 - The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.
-
DISA STIG Ubuntu 18.04 LTS v2r4
- UBTU-18-010000 - Ubuntu operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.
- UBTU-18-010001 - Ubuntu operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
- UBTU-18-010002 - The Ubuntu operating system must initiate session audits at system startup.
- UBTU-18-010003 - Ubuntu operating systems handling data requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest.
- UBTU-18-010005 - The Ubuntu operating system must implement NIST FIPS-validated cryptography
- UBTU-18-010006 - The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity - action_mail_acct
-
DISA STIG Ubuntu 16.04 LTS v2r3
- UBTU-16-010000 - The Ubuntu operating system must be a vendor supported release.
- UBTU-16-010010 - Ubuntu vendor packaged system security patches and updates must be installed and up to date.
- UBTU-16-010010 - Ubuntu vendor packaged system security patches and updates must be installed and up to date.
- UBTU-16-010020 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon - enabled
- UBTU-16-010020 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon - text
- UBTU-16-010030 - The Ubuntu operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
-
DISA STIG SQL Server 2016 Instance OS v2r6
- SQL6-D0-003800 - SQL Server must be configured to utilize the most-secure authentication method available.
- SQL6-D0-004000 - SQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.
- SQL6-D0-006700 - SQL Server software installation account must be restricted to authorized users.
- SQL6-D0-006800 - Database software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
- SQL6-D0-008300 - Confidentiality of controlled information during transmission through the use of an approved TLS version - SSL 2.0 Client DisabledByDefault
- SQL6-D0-008300 - Confidentiality of controlled information during transmission through the use of an approved TLS version - SSL 2.0 Client Enabled
-
DISA STIG SQL Server 2014 Instance OS v2r2
- SQL4-00-014000 - SQL Server and/or the operating system must protect its audit configuration from unauthorized modification.
- SQL4-00-014100 - SQL Server and the operating system must protect SQL Server audit features from unauthorized removal.
- SQL4-00-015350 - Software, applications, and configuration files that are part of, or related to, the SQL Server installation must be monitored to discover unauthorized changes.
- SQL4-00-015400 - SQL Server software installation account(s) must be restricted to authorized users.
- SQL4-00-015500 - Database software directories, including SQL Server configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
- SQL4-00-016500 - SQL Server must have the SQL Server Data Tools (SSDT) software component removed if it is unused.
-
DISA STIG SQL Server 2012 Database OS v1r20
- SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Full-text Filter Daemon Launcher'
- SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Agent'
- SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Analysis Services'
- SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Browser'
- SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Distributed Replay Client'
- SQL2-00-008900 - SQL Server processes or services must run under custom, dedicated OS or domain accounts - 'SQL Server Distributed Replay Controller'
-
DISA STIG Solaris 11 X86 v2r6
- SOL-11.1-010040 - The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.
- SOL-11.1-010060 - The audit system must support an audit reduction capability.
- SOL-11.1-010070 - The audit system records must be able to be used by a report generation capability.
- SOL-11.1-010080 - The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
- SOL-11.1-010100 - The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.
- SOL-11.1-010120 - The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.
-
DISA STIG Solaris 11 SPARC v2r6
- SOL-11.1-010040 - The audit system must produce records containing sufficient information to establish the identity of any user/subject associated with the event.
- SOL-11.1-010060 - The audit system must support an audit reduction capability.
- SOL-11.1-010070 - The audit system records must be able to be used by a report generation capability.
- SOL-11.1-010080 - The operating system must provide the capability to automatically process audit records for events of interest based upon selectable, event criteria.
- SOL-11.1-010100 - The audit records must provide data for all auditable events defined at the organizational level for the organization-defined information system components.
- SOL-11.1-010120 - The operating system must generate audit records for the selected list of auditable events as defined in DoD list of events.
-
DISA STIG Solaris 10 X86 v2r2
- GEN000000-SOL00020 - The nosuid option must be configured in the /etc/rmmount.conf file.
- GEN000000-SOL00040 - The /etc/security/audit_user file must not define a different auditing level for specific users.
- GEN000000-SOL00060 - The /etc/security/audit_user file must be owned by root.
- GEN000000-SOL00080 - The /etc/security/audit_user file must be group-owned by root, sys, or bin.
- GEN000000-SOL00100 - The /etc/security/audit_user file must have mode 0640 or less permissive.
- GEN000000-SOL00110 - The /etc/security/audit_user file must not have an extended ACL.
-
DISA STIG Solaris 10 SPARC v2r2
- GEN000000-SOL00020 - The nosuid option must be configured in the /etc/rmmount.conf file.
- GEN000000-SOL00040 - The /etc/security/audit_user file must not define a different auditing level for specific users.
- GEN000000-SOL00060 - The /etc/security/audit_user file must be owned by root.
- GEN000000-SOL00080 - The /etc/security/audit_user file must be group-owned by root, sys, or bin.
- GEN000000-SOL00100 - The /etc/security/audit_user file must have mode 0640 or less permissive.
- GEN000000-SOL00110 - The /etc/security/audit_user file must not have an extended ACL.
-
DISA STIG SharePoint 2013 v2r2
- DISA_STIG_SharePoint_2013_v2r2.audit from DISA Microsoft SharePoint 2013 v2r2 STIG
- SP13-00-000005 - SharePoint must support the requirement to initiate a session lock after 15 minutes of system or application inactivity has transpired.
- SP13-00-000010 - SharePoint must maintain and support the use of security attributes with stored information - 'Custom content types have been defined for Site'
- SP13-00-000010 - SharePoint must maintain and support the use of security attributes with stored information - Document Library'
- SP13-00-000015 - SharePoint must utilize approved cryptography to protect the confidentiality of remote access sessions.
- SP13-00-000020 - SharePoint must use cryptography to protect the integrity of the remote access session.
-
DISA STIG SharePoint 2010 v1r9
- SHPT-00-000007 - SharePoint must support the requirement to initiate a session lock after an organizationally defined time period of system or application inactivity has transpired.
- SHPT-00-000009 - SharePoint information management policies must be created, configured, and maintained to support the use of organizationally defined security attributes.
- SHPT-00-000010 - SharePoint must maintain and support the use of organizationally defined security attributes to stored information - Document Library'
- SHPT-00-000010 - SharePoint must maintain and support the use of organizationally defined security attributes to stored information.
- SHPT-00-000040 - SharePoint must allow authorized users to associate security attributes with information.
- SHPT-00-000100 - SharePoint must enforce dual authorization, based on organizational policies and procedures for organizationally defined privileged commands.
-
DISA STIG PostgreSQL 9.x on RHEL OS v2r2
- PGS9-00-000400 - The audit information produced by PostgreSQL must be protected from unauthorized modification - log directory
- PGS9-00-000400 - The audit information produced by PostgreSQL must be protected from unauthorized modification - log files
- PGS9-00-000400 - The audit information produced by PostgreSQL must be protected from unauthorized modification - log_file_mode
- PGS9-00-000500 - PostgreSQL must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
- PGS9-00-000700 - Privileges to change PostgreSQL software modules must be limited - binary objects
- PGS9-00-000700 - Privileges to change PostgreSQL software modules must be limited - data
-
DISA STIG Palo Alto ALG v2r2
- DISA_STIG_Palo_Alto_Networks_ALG_STIG_v2r2.audit from DISA Palo Alto Networks ALG v2r2 STIG
- PANW-AG-000017 - The Palo Alto Networks security platform that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys.
- PANW-AG-000020 - The Palo Alto Networks security platform, if used as a TLS gateway/decryption point or VPN concentrator, must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions.
- PANW-AG-000024 - The Palo Alto Networks security platform must log violations of security policies.
- PANW-AG-000035 - The Palo Alto Networks security platform must only enable User-ID on trusted zones.
- PANW-AG-000036 - The Palo Alto Networks security platform must disable WMI probing if it is not used.
-
DISA STIG Palo Alto NDM v1r4
- DISA_STIG_Palo_Alto_NDM_v1r4.audit from DISA Palo Alto Networks NDM v1r4 STIG
- PANW-NM-000015 - The Palo Alto Networks security platform must enforce the limit of three consecutive invalid logon attempts.
- PANW-NM-000016 - The Palo Alto Networks security platform must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the device.
- PANW-NM-000024 - The Palo Alto Networks security platform must generate audit records when successful/unsuccessful attempts to access privileges occur - Configuration Logs 'CRITICAL'
- PANW-NM-000024 - The Palo Alto Networks security platform must generate audit records when successful/unsuccessful attempts to access privileges occur - Configuration Logs 'HIGH'
- PANW-NM-000024 - The Palo Alto Networks security platform must generate audit records when successful/unsuccessful attempts to access privileges occur - Configuration Logs 'INFORMATIONAL'
-
DISA STIG Oracle Linux 6 v1r18
- OL6-00-000001 - The system must use a separate file system for /tmp.
- OL6-00-000002 - The system must use a separate file system for /var.
- OL6-00-000003 - The system must use a separate file system for /var/log.
- OL6-00-000004 - The system must use a separate file system for the system audit data path.
- OL6-00-000005 - The audit system must alert designated staff members when the audit storage volume approaches capacity.
- OL6-00-000008 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
-
DISA STIG Oracle JRE 8 Windows v2r1
- JRE8-WN-000010 - Oracle JRE 8 must have a deployment.config file present.
- JRE8-WN-000020 - Oracle JRE 8 deployment.config file must contain proper keys and values - deployment.system.config
- JRE8-WN-000020 - Oracle JRE 8 deployment.config file must contain proper keys and values - deployment.system.config.mandatory
- JRE8-WN-000030 - Oracle JRE 8 must have a deployment.properties file present.
- JRE8-WN-000060 - Oracle JRE 8 must default to the most secure built-in setting - deployment.security.level
- JRE8-WN-000060 - Oracle JRE 8 must default to the most secure built-in setting - deployment.security.level.locked
-
DISA STIG Oracle JRE 8 Unix v1r3
- JRE8-UX-000010 - Oracle JRE 8 must have a deployment.config file present.
- JRE8-UX-000020 - Oracle JRE 8 deployment.config file must contain proper keys and values - deployment.system.config
- JRE8-UX-000020 - Oracle JRE 8 deployment.config file must contain proper keys and values - deployment.system.config.mandatory
- JRE8-UX-000030 - Oracle JRE 8 must have a deployment.properties file present.
- JRE8-UX-000060 - Oracle JRE 8 must default to the most secure built-in setting - deployment.security.level
- JRE8-UX-000060 - Oracle JRE 8 must default to the most secure built-in setting - deployment.security.level.locked
-
DISA STIG Oracle HTTP Server 12.1.3 v1r7
- OH12-1X-000001 - OHS must have the mpm property set to use the worker Multi-Processing Module (MPM) as the preferred means to limit the number of allowed simultaneous requests.
- OH12-1X-000002 - OHS must have the mpm_prefork_module directive disabled so as not conflict with the worker directive used to limit the number of allowed simultaneous requests.
- OH12-1X-000003 - OHS must have the MaxClients directive defined to limit the number of allowed simultaneous requests.
- OH12-1X-000004 - OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests - ThreadLimit
- OH12-1X-000004 - OHS must limit the number of threads within a worker process to limit the number of allowed simultaneous requests - ThreadsPerChild
- OH12-1X-000005 - OHS must limit the number of worker processes to limit the number of allowed simultaneous requests.
-
DISA STIG Oracle 12c v2r3 Windows
- DISA_STIG_Oracle_Database_12c_v2r3_OS_Windows.audit from DISA Oracle Database 12c v2r3 STIG
- O121-BP-022200 - The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
- O121-BP-024100 - DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
- O121-BP-025400 - Access to DBMS software files and directories must not be granted to unauthorized users.
- O121-BP-025600 - Network access to the DBMS must be restricted to authorized personnel - Rules
- O121-BP-025600 - Network access to the DBMS must be restricted to authorized personnel - tcp.invited_nodes=
-
DISA STIG Oracle 11.2g v2r2 Windows
- DISA_STIG_Oracle_Database_11.2g_v2r2_OS_Windows.audit from DISA Oracle Database 11.2g v2r2 STIG
- O112-BP-022200 - The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
- O112-BP-022700 - The Oracle Listener must be configured to require administration authentication.
- O112-BP-025101 - The directory assigned to the AUDIT_FILE_DEST parameter must be protected from unauthorized access and must be stored in a dedicated directory or disk partition separate from software or other application files.
- O112-BP-025400 - Access to DBMS software files and directories must not be granted to unauthorized users - '/etc/profile umask < 022'
- O112-BP-025400 - Access to DBMS software files and directories must not be granted to unauthorized users - 'umask < 0022'
-
DISA STIG Oracle 12c v2r3 Linux
- DISA_STIG_Oracle_Database_12c_v2r3_OS_Linux.audit from DISA Oracle Database 12c v2r3 STIG
- O121-BP-022200 - The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
- O121-BP-022700 - The Oracle Listener must be configured to require administration authentication.
- O121-BP-024100 - DBMS production application and data directories must be protected from developers on shared production/development DBMS host systems.
- O121-BP-025400 - Access to DBMS software files and directories must not be granted to unauthorized users - /etc/profile umask < 022
- O121-BP-025400 - Access to DBMS software files and directories must not be granted to unauthorized users - umask < 0022
-
DISA STIG Oracle 11.2g v2r2 Linux
- DISA_STIG_Oracle_Database_11.2g_v2r2_OS_Linux.audit from DISA Oracle Database 11.2g v2r2 STIG
- O112-BP-022200 - The Oracle password file ownership and permissions should be limited and the REMOTE_LOGIN_PASSWORDFILE parameter must be set to EXCLUSIVE or NONE.
- O112-BP-022700 - The Oracle Listener must be configured to require administration authentication.
- O112-BP-025400 - Access to DBMS software files and directories must not be granted to unauthorized users - '/etc/profile umask < 022'
- O112-BP-025400 - Access to DBMS software files and directories must not be granted to unauthorized users - 'umask < 0022'
- O112-BP-025600 - Network access to the DBMS must be restricted to authorized personnel - TCP.INVITED_NODES
-
DISA STIG Oracle 11 Instance v9r1 OS Windows
- DG0102-ORACLE11 - DBMS processes or services should run under custom, dedicated OS accounts - 'No Oracle services are running as LocalSystem'
- DG0102-ORACLE11 - DBMS processes or services should run under custom, dedicated OS accounts - 'Oracle Services are running under dedicated service accounts'
- DISA_Oracle_11g_Instance_v9r1_OS_Windows.audit from DISA Oracle Database 11g Instance STIG v9r1 STIG
-
DISA STIG Oracle 11 Instance v9r1 OS Unix
- DG0102-ORACLE11 - DBMS processes or services should run under custom, dedicated OS accounts - 'dbsnmp services are using correct service account'
- DG0102-ORACLE11 - DBMS processes or services should run under custom, dedicated OS accounts - 'pmon services are using correct service account'
- DG0102-ORACLE11 - DBMS processes or services should run under custom, dedicated OS accounts - 'tns services are using correct service account'
- DISA_Oracle_11g_Instance_v9r1_OS_Linux.audit from DISA Oracle Database 11g Instance STIG v9r1 STIG
-
DISA STIG Oracle 11 Installation v9r1 Windows
- DG0001-ORACLE11 - Vendor supported software is evaluated and patched against newly found vulnerabilities.
- DG0003-ORACLE11 - The latest security patches should be installed.
- DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'Oracle DBA is only a member of ORA_DBA and Users group'
- DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'Oracle instance DBA is only a member of ORA_{SID}_DBA and Users group'
- DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'ORA_DBA Group has no unauthorized users'
- DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'ORA_{SID}_DBA Group has no unauthorized users'
-
DISA STIG Oracle 11 Installation v9r1 Linux
- DG0001-ORACLE11 - Vendor supported software is evaluated and patched against newly found vulnerabilities.
- DG0003-ORACLE11 - The latest security patches should be installed.
- DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'DBA user group members'
- DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'No dba account is a member of the root group'
- DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'root is not a member of dba groups'
- DG0007-ORACLE11 - The database should be secured in accordance with DoD, vendor and/or commercially accepted practices where applicable.
-
DISA STIG Office System 2010 v1r12
- DTOO177 - Office System - Access to updates, add-ins, and patches on Office.com must be disabled.
- DTOO178 - Office System - Upload of document templates to Office Online must be prevented.
- DTOO179 - Office System - Documents must be configured to not open as Read Write when browsing.
- DTOO180 - Office System - Vector markup Language (VML) for displaying graphics in browsers must be disallowed.
- DTOO182 - Office System - The Help Improve Proofing Tools feature for Office must be configured.
- DTOO183 - Office System - The Opt-In Wizard must be disabled.
-
DISA STIG Office 2010 Word v1r11
- DTOO104 - Word - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO110 - Word - Blocking as default file block opening behavior must be enforced.
- DTOO111 - Word - Enabling IE Bind to Object functionality must be present.
- DTOO117 - Word - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO119 - Word - Configuration for file validation must be enforced.
- DTOO121 - Word - Files from the Internet zone must be opened in Protected View.
-
DISA STIG Office 2010 Publisher v1r11
- DTOO104 - Publisher - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - Publisher - Enabling IE Bind to Object functionality must be present.
- DTOO117 - Publisher - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO123 - Publisher - Navigation to URL's embedded in Office products must be blocked.
- DTOO124 - Publisher - Scripted Window Security must be enforced.
- DTOO126 - Publisher - Add-on Management functionality must be allowed.
-
DISA STIG Office 2010 Project v1r9
- DTOO104 - Project - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - Project - Enabling IE Bind to Object functionality must be present.
- DTOO117 - Project - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO123 - Project - Navigation to URL's embedded in Office products must be blocked.
- DTOO124 - Project - Scripted Window Security must be enforced.
- DTOO126 - Project - Add-on Management functionality must be allowed.
-
DISA STIG Office 2010 PowerPoint v1r10
- DTOO104 - PowerPoint - Disabling of user name and password syntax from being used in URLs must be enforced - powerpnt.exe
- DTOO104 - PowerPoint - Disabling of user name and password syntax from being used in URLs must be enforced - pptview.exe
- DTOO110 - PowerPoint - Blocking as default file block opening behavior must be enforced.
- DTOO111 - PowerPoint - Enabling IE Bind to Object functionality must be present - powerpnt.exe
- DTOO111 - PowerPoint - Enabling IE Bind to Object functionality must be present - pptview.exe
- DTOO117 - PowerPoint - Saved from URL mark to assure Internet zone processing must be enforced - powerpnt.exe
-
DISA STIG Office 2010 Outlook v1r13
- DTOO104 - Outlook - Disable user name and password syntax from being used in URLs
- DTOO111 - Outlook - Enabling IE Bind to Object functionality must be present.
- DTOO117 - Outlook - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO123 - Outlook - Navigation to URL's embedded in Office products must be blocked.
- DTOO124 - Outlook - Scripted Window Security must be enforced.
- DTOO126 - Outlook - Add-on Management functionality must be allowed.
-
DISA STIG Office 2010 OneNote v1r9
- DTOO104 - OneNote - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - OneNote - Enabling IE Bind to Object functionality must be present.
- DTOO117 - OneNote - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO123 - OneNote - Navigation to URL's embedded in Office products must be blocked.
- DTOO124 - OneNote - Scripted Window Security must be enforced.
- DTOO126 - OneNote - Add-on Management functionality must be allowed.
-
DISA STIG Office 2010 InfoPath v1r11
- DTOO127 - InfoPath - Application add-ins must be signed by Trusted Publisher.
- DTOO128 - InfoPath - Data Execution Prevention must be enforced.
- DTOO131 - InfoPath - Trust Bar Notifications for unsigned application add-ins must be blocked.
- DTOO133 - InfoPath - All automatic loading from Trusted Locations must be disabled.
- DTOO156 - InfoPath - Offline Mode capability to cache queries for offline mode must be configured.
- DTOO157 - InfoPath - Redirection behavior for upgraded web sites by SharePoint must be blocked.
-
DISA STIG Office 2010 Access v1r10
- DTOO104 - Access - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - Access - Enabling IE Bind to Object functionality must be present.
- DTOO117 - Access - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO123 - Access - Navigation to URL's embedded in Office products must be blocked.
- DTOO124 - Access - Scripted Window Security must be enforced.
- DTOO126 - Access - Add-on Management functionality must be allowed.
-
DISA STIG Office 2010 Excel v1r11
- DTOO104 - Excel - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO105 - Excel - Open/Save actions for Excel 4 macrosheets and add-in files must be blocked.
- DTOO106 - Excel - Open/Save actions for Excel 4 workbooks must be blocked.
- DTOO107 - Excel - Open/Save actions for Excel 4 worksheets must be blocked.
- DTOO108 - Excel - Actions for Excel 95 workbooks must be configured to edit in protected view.
- DTOO109 - Excel - Actions for Excel 95-97 workbooks and templates must be configured to edit in protected view.
-
DISA STIG Mozilla Firefox Windows v6r1
- FFOX-00-000001 - The installed version of Firefox must be supported.
- FFOX-00-000002 - Firefox must be configured to allow only TLS 1.2 or above.
- FFOX-00-000003 - Firefox must be configured to ask which certificate to present to a website when a certificate is required.
- FFOX-00-000004 - Firefox must be configured to not automatically check for updated versions of installed search plugins.
- FFOX-00-000005 - Firefox must be configured to not automatically update installed add-ons and plugins.
- FFOX-00-000006 - Firefox must be configured to not automatically execute or download MIME types that are not authorized for auto-download.
-
DISA STIG Mozilla Firefox MacOS v6r1
- FFOX-00-000001 - The installed version of Firefox must be supported.
- FFOX-00-000002 - Firefox must be configured to allow only TLS 1.2 or above.
- FFOX-00-000003 - Firefox must be configured to ask which certificate to present to a website when a certificate is required.
- FFOX-00-000004 - Firefox must be configured to not automatically check for updated versions of installed search plugins.
- FFOX-00-000005 - Firefox must be configured to not automatically update installed add-ons and plugins.
- FFOX-00-000006 - Firefox must be configured to not automatically execute or download MIME types that are not authorized for auto-download.
-
DISA STIG Mozilla Firefox Linux v6r1
- FFOX-00-000001 - The installed version of Firefox must be supported.
- FFOX-00-000002 - Firefox must be configured to allow only TLS 1.2 or above.
- FFOX-00-000003 - Firefox must be configured to ask which certificate to present to a website when a certificate is required.
- FFOX-00-000004 - Firefox must be configured to not automatically check for updated versions of installed search plugins.
- FFOX-00-000005 - Firefox must be configured to not automatically update installed add-ons and plugins.
- FFOX-00-000006 - Firefox must be configured to not automatically execute or download MIME types that are not authorized for auto-download.
-
DISA STIG MongoDB Enterprise Advanced 3.x v1r2
- MD3X-00-000010 - MongoDB must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
- MD3X-00-000020 - MongoDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- MD3X-00-000040 - MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.
- MD3X-00-000190 - The audit information produced by MongoDB must be protected from unauthorized read access.
- MD3X-00-000220 - MongoDB must protect its audit features from unauthorized access.
- MD3X-00-000250 - MongoDB software installation account must be restricted to authorized users.
-
DISA STIG Microsoft Word 2016 v1r1
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO110 - Blocking as default file block opening behavior must be enforced.
- DTOO111 - The Internet Explorer Bind to Object functionality must be enabled.
- DTOO117 - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO119 - Configuration for file validation must be enforced.
- DTOO121 - Files from the Internet zone must be opened in Protected View.
-
DISA STIG Microsoft Word 2013 v1r6
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO110 - Blocking as default file block opening behavior must be enforced.
- DTOO111 - The Internet Explorer Bind to Object functionality must be enabled.
- DTOO117 - The Saved from URL mark must be selected to enforce Internet zone processing.
- DTOO119 - Configuration for file validation must be enforced.
- DTOO121 - Files from the Internet zone must be opened in Protected View.
-
DISA STIG Microsoft Visio 2016 v1r1
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - Enabling IE Bind to Object functionality must be present.
- DTOO117 - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft Visio 2013 v1r4
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - The Internet Explorer Bind to Object functionality must be enabled.
- DTOO117 - The Saved from URL mark must be selected to enforce Internet zone processing.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft Skype for Business 2016 v1r1
-
DISA STIG Microsoft Sharepoint Designer 2013 v1r3
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - The Internet Explorer Bind to Object functionality must be enabled.
- DTOO117 - The Saved from URL mark must be selected to enforce Internet zone processing
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft Publisher 2016 v1r3
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - Enabling IE Bind to Object functionality must be present
- DTOO117 - Saved from URL mark to assure Internet zone processing must be enforced
- DTOO123 - Navigation to URLs embedded in Office products must be blocked
- DTOO124 - Scripted Window Security must be enforced
- DTOO126 - Add-on Management functionality must be allowed
-
DISA STIG Microsoft Publisher 2013 v1r5
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - The Internet Explorer Bind to Object functionality must be enabled.
- DTOO117 - The Saved from URL mark must be selected to enforce Internet zone processing.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft Project 2016 v1r1
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - Enabling IE Bind to Object functionality must be present.
- DTOO117 - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft Project 2013 v1r4
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - The Internet Explorer Bind to Object functionality must be enabled.
- DTOO117 - The Saved from URL mark must be selected to enforce Internet zone processing.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft PowerPoint 2016 v1r1
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint.
- DTOO110 - Blocking as default file block opening behavior must be enforced.
- DTOO111 - The Internet Explorer Bind to Object functionality must be enabled in PowerPoint.
- DTOO117 - The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint.
- DTOO119 - Configuration for file validation must be enforced.
- DTOO121 - Files from the Internet zone must be opened in Protected View.
-
DISA STIG Microsoft PowerPoint 2013 v1r6
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced in PowerPoint.
- DTOO110 - Blocking as default file block opening behavior must be enforced.
- DTOO111 - The Internet Explorer Bind to Object functionality must be enabled in PowerPoint.
- DTOO117 - The Saved from URL mark must be selected to enforce Internet zone processing in PowerPoint.
- DTOO119 - Configuration for file validation must be enforced.
- DTOO121 - Files from the Internet zone must be opened in Protected View.
-
DISA STIG Microsoft Outlook 2013 v1r13
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - The Internet Explorer Bind to Object functionality must be enabled.
- DTOO117 - The Saved from URL mark must be selected to enforce Internet zone processing.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft Outlook 2016 v2r1
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - Enabling IE Bind to Object functionality must be present.
- DTOO117 - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft OneNote 2016 v1r2
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - Enabling IE Bind to Object functionality must be present.
- DTOO117 - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft OneNote 2013 v1r3
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - The Internet Explorer Bind to Object functionality must be enabled.
- DTOO117 - The Saved from URL mark must be selected to enforce Internet zone processing.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft OneDrive v2r2
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - Enabling IE Bind to Object functionality must be present.
- DTOO117 - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft Office System 2016 v2r1
- DTOO182 - The Help Improve Proofing Tools feature for Office must be configured.
- DTOO186 - Trust Bar notifications for Security messages must be enforced.
- DTOO187 - Rights managed Office Open XML files must be protected.
- DTOO188 - Document metadata for password protected files must be protected.
- DTOO189 - The encryption type for password protected Open XML files must be set.
- DTOO190 - The encryption type for password protected Office 97 thru Office 2003 must be set.
-
DISA STIG Microsoft Office Access 2016 v1r1
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced
- DTOO111 - Enabling IE Bind to Object functionality must be present
- DTOO117 - Saved from URL mark to assure Internet zone processing must be enforced
- DTOO123 - Navigation to URLs embedded in Office products must be blocked
- DTOO124 - Scripted Window Security must be enforced
- DTOO126 - Add-on Management functionality must be allowed
-
DISA STIG Microsoft Office System 2013 v2r1
- DTOO179 - Documents must be configured to not open as Read Write when browsing.
- DTOO180 - Relying on Vector markup Language (VML) for displaying graphics in browsers must be disallowed - VML for displaying graphics in browsers must be disallowed
- DTOO182 - The Help Improve Proofing Tools feature for Office must be configured.
- DTOO183 - The Opt-In Wizard must be disabled.
- DTOO184 - The Customer Experience Improvement Program for Office must be disabled.
- DTOO185 - Automatic receiving of small updates to improve reliability must be disallowed.
-
DISA STIG Microsoft Office 365 ProPlus v2r3
- DISA_STIG_Microsoft_Office_365_ProPlus_v2r3.audit from DISA Microsoft Office 365 ProPlus v2r3 STIG
- O365-AC-000001 - Macros must be blocked from running in Access files from the Internet.
- O365-AC-000002 - Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.
- O365-AC-000003 - VBA Macros not digitally signed must be blocked in Access.
- O365-AC-000004 - Allowing Trusted Locations on the network must be disabled in Access.
- O365-CO-000001 - The Macro Runtime Scan Scope must be enabled for all documents.
-
DISA STIG Microsoft Lync 2013 v1r4
-
DISA STIG Microsoft Internet Explorer 9 v1r15
- DISA_STIG_Microsoft_Internet_Explorer_9_v1r15.audit from DISA Microsoft Internet Explorer 9 v1r15 STIG
- DTBI001 - The IE home page is not set to blank or a trusted site.
- DTBI002 - IE9 - The installed version of IE must be a supported version.
- DTBI010 - First Run Customize settings must be enabled as home page.
- DTBI014 - The IE TLS parameter must be set correctly.
- DTBI015 - The IE warning about certificate address mismatch must be enforced.
-
DISA STIG Microsoft InfoPath 2013 v1r5
- DTOO127 - Add-ins to Office applications must be signed by a Trusted Publisher.
- DTOO131 - Trust Bar Notifications for unsigned application add-ins must be blocked.
- DTOO133 - All automatic loading from Trusted Locations must be disabled.
- DTOO156 - Offline Mode capability to cache queries for offline mode must be configured.
- DTOO157 - Redirection behavior for upgraded web sites by SharePoint must be blocked.
- DTOO158 - Disabling the opening of solutions from the Internet Security Zone must be configured.
-
DISA STIG Microsoft Groove 2013 v1r3
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - The Internet Explorer Bind to Object functionality must be enabled.
- DTOO117 - The Saved from URL mark must be selected to enforce Internet zone processing.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Microsoft Excel 2016 v1r2
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO105 - Open/Save actions for Excel 4 macrosheets and add-in files must be blocked.
- DTOO106 - Open/Save actions for Excel 4 workbooks must be blocked.
- DTOO107 - Open/Save actions for Excel 4 worksheets must be blocked.
- DTOO108 - Actions for Excel 95 workbooks must be configured to edit in Protected View.
- DTOO109 - Actions for Excel 95-97 workbooks and templates must be configured to edit in Protected View.
-
DISA STIG Microsoft Excel 2013 v1r7
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO105 - Open/Save actions for Excel 4 macrosheets and add-in files must be blocked.
- DTOO106 - Open/Save actions for Excel 4 workbooks must be blocked.
- DTOO107 - Open/Save actions for Excel 4 worksheets must be blocked.
- DTOO108 - Actions for Excel 95 workbooks must be configured to edit in Protected View.
- DTOO109 - Actions for Excel 95-97 workbooks and templates must be configured to edit in Protected View.
-
DISA STIG McAfee VirusScan 8.8 Local Client v5r16
-
DISA STIG Microsoft Access 2013 v1r6
- DTOO104 - Disabling of user name and password syntax from being used in URLs must be enforced.
- DTOO111 - Enabling IE Bind to Object functionality must be present.
- DTOO117 - Saved from URL mark to assure Internet zone processing must be enforced.
- DTOO123 - Navigation to URLs embedded in Office products must be blocked.
- DTOO124 - Scripted Window Security must be enforced.
- DTOO126 - Add-on Management functionality must be allowed.
-
DISA STIG Kubernetes v1r4
- CNTR-K8-000150 - The Kubernetes Controller Manager must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
- CNTR-K8-000160 - The Kubernetes Scheduler must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
- CNTR-K8-000170 - The Kubernetes API Server must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination.
- CNTR-K8-000180 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
- CNTR-K8-000190 - The Kubernetes etcd must use TLS to protect the confidentiality of sensitive data during electronic dissemination.
- CNTR-K8-000220 - The Kubernetes Controller Manager must create unique service accounts for each work payload.
-
DISA STIG Juniper Router RTR v2r2
- JUNI-RT-000010 - The Juniper router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
- JUNI-RT-000020 - The Juniper router must be configured to implement message authentication for all control plane protocols - BGP
- JUNI-RT-000020 - The Juniper router must be configured to implement message authentication for all control plane protocols - IS-IS key
- JUNI-RT-000020 - The Juniper router must be configured to implement message authentication for all control plane protocols - IS-IS type
- JUNI-RT-000020 - The Juniper router must be configured to implement message authentication for all control plane protocols - LDP
- JUNI-RT-000020 - The Juniper router must be configured to implement message authentication for all control plane protocols - OSPF
-
DISA STIG Juniper Router NDM v1r5
- JUNI-ND-000010 - The Juniper router must be configured to limit the number of concurrent management sessions to an organization-defined number - connection-limit
- JUNI-ND-000010 - The Juniper router must be configured to limit the number of concurrent management sessions to an organization-defined number - max-sessions-per-connection
- JUNI-ND-000090 - The Juniper router must be configured to automatically audit account creation.
- JUNI-ND-000100 - The Juniper router must be configured to automatically audit account modification.
- JUNI-ND-000110 - The Juniper router must be configured to automatically audit account disabling actions.
- JUNI-ND-000120 - The Juniper router must be configured to automatically audit account removal actions.
-
DISA STIG Juniper Infrastructure Router V8R29
- NET-IPV6-025 - The network device must be configured to ensure IPv6 Site Local Unicast addresses are not defined in the enclave, (FEC0::/10)
- NET-IPV6-034 - The network element must be configured via egress ACL or by enabling uRPF in an IPv6 enclave - uRPF enabled
- NET-IPV6-034 - The network element must be configured via egress ACL or by enabling uRPF in an IPv6 enclave - uRPF firewall filter log
- NET-IPV6-034 - The network element must be configured via egress ACL or by enabling uRPF in an IPv6 enclave - uRPF firewall filter reject
- NET-IPV6-034 - The network element must be configured via egress ACL or by enabling uRPF in an IPv6 enclave - uRPF interfaces fail-filter
- NET-IPV6-059 - The administrator must ensure that the maximum hop limit is at least 32.
-
DISA STIG Juniper Perimeter Router V8R32
- NET-IPV6-004 - Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces.
- NET-IPV6-006 - Ensure the undetermined transport packet is blocked at the perimeter in an IPv6 enclave by the router.
- NET-IPV6-008 - The IAO/NSO will ensure IPv6 6bone address space is blocked on the ingress and egress filter, (3FFE::/16).
- NET-IPV6-010 - Permit inbound ICMPv6 messages Packet-too-big, Time Exceeded, Parameter Problem, Echo Reply, and Neighbor Discovery.
- NET-IPV6-011 - The network element can permit outbound ICMPv6 Packet-too-big, Echo Request, and Neighborhood Discovery - echo-request
- NET-IPV6-011 - The network element can permit outbound ICMPv6 Packet-too-big, Echo Request, and Neighborhood Discovery - neighbor-adv
-
DISA STIG IIS 6.0 Site Checklist v6r16
- WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - '.asa'
- WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - '.asax'
- WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - '.inc file permissions'
- WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - '.inc'
- WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - 'global.asa'
- WA000-WI030 IIS6 - The IUSR_machinename account must not have read access to the .inc files or their equivalent. - 'global.asax'
-
DISA STIG IIS 6.0 Server v6r16
- WA000-WI080 IIS6 - The IIS Internet Printing Protocol must be disabled.
- WA000-WI100 IIS6 - The File System Object component, if not required, must be disabled. - 'Scripting.FileSystemObject Check'
- WA000-WI100 IIS6 - The File System Object component, if not required, must be disabled. - '{0D43FE01-F093-11CF-8940-00A0C9054228} Check'
- WA000-WI110 IIS6 - The command shell options must be disabled.
- WA000-WI6080 IIS6 - The AllowRestrictedChars registry key must be disabled.
- WA000-WI6082 IIS6 - The EnableNonUTF8 registry key must be disabled.
-
DISA STIG IE 11 v2r1
- DTBI014-IE11 - Turn off Encryption Support must be enabled.
- DTBI015-IE11 - The Internet Explorer warning about certificate address mismatch must be enforced.
- DTBI018-IE11 - Check for publishers certificate revocation must be enforced.
- DTBI022-IE11 - The Download signed ActiveX controls property must be disallowed (Internet zone).
- DTBI023-IE11 - The Download unsigned ActiveX controls property must be disallowed (Internet zone).
- DTBI024-IE11 - The Initialize and script ActiveX controls not marked as safe property must be disallowed (Internet zone).
-
DISA STIG IBM DB2 v10.5 LUW v1r4 OS Windows
- DB2X-00-000300 - DB2 must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals - config file
- DB2X-00-002200 - The audit information produced by DB2 must be protected from unauthorized read access - ownership
- DB2X-00-002200 - The audit information produced by DB2 must be protected from unauthorized read access - verify setting
- DB2X-00-002300 - The audit information produced by DB2 must be protected from unauthorized modification - ownership
- DB2X-00-002300 - The audit information produced by DB2 must be protected from unauthorized modification - verify setting
- DB2X-00-002400 - The audit information produced by DB2 must be protected from unauthorized deletion - ownership
-
DISA STIG IBM DB2 v10.5 LUW v1r4 OS Linux
- DB2X-00-000300 - DB2 must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals - config file
- DB2X-00-002200 - The audit information produced by DB2 must be protected from unauthorized read access - ownership
- DB2X-00-002200 - The audit information produced by DB2 must be protected from unauthorized read access - verify setting
- DB2X-00-002300 - The audit information produced by DB2 must be protected from unauthorized modification - ownership
- DB2X-00-002300 - The audit information produced by DB2 must be protected from unauthorized modification - verify setting
- DB2X-00-002400 - The audit information produced by DB2 must be protected from unauthorized deletion - ownership
-
DISA STIG Google Chrome v2r4
- DTBC-0001 - Firewall traversal from remote host must be disabled.
- DTBC-0002 - Site tracking users location must be disabled.
- DTBC-0004 - Sites ability to show pop-ups must be disabled.
- DTBC-0005 - Extensions installation must be blocklisted by default.
- DTBC-0006 - Extensions that are approved for use must be allowlisted.
- DTBC-0007 - The default search providers name must be set.
-
DISA STIG for Red Hat Enterprise Linux 5 v1r18
- GEN000000-LNX001431 - The /etc/gshadow file must be owned by root.
- GEN000000-LNX001432 - The /etc/gshadow file must be group-owned by root.
- GEN000000-LNX001433 - The /etc/gshadow file must have mode 0400.
- GEN000000-LNX001434 - The /etc/gshadow file must not have an extended ACL.
- GEN000000-LNX001476 - The /etc/gshadow file must not contain any group password hashes.
- GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - '/etc/passwd - halt'
-
DISA STIG for Oracle Linux 5 v2r1
- GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/passwd halt'
- GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/passwd reboot'
- GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/passwd shutdown'
- GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/shadow halt'
- GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/shadow reboot'
- GEN000000-LNX00320 - The system must not have special privilege accounts, such as shutdown and halt - /etc/shadow shutdown'
-
DISA STIG for Microsoft Dot Net Framework 4.0 v2r1
- APPNET0031 - Digital signatures assigned to strongly named assemblies must be verified.
- APPNET0046 - The Trust Providers Software Publishing State must be set to 0x23C00.
- APPNET0048 - Developer certificates used with the .NET Publisher Membership Condition must be approved by the IAO.
- APPNET0052 - Encryption keys used for the .NET Strong Name Membership Condition must be protected.
- APPNET0055 - CAS and policy configuration files must be backed up.
- APPNET0060 - Remoting Services HTTP channels must utilize authentication and encryption - applications
-
DISA STIG Docker Enterprise 2.x Linux/Unix v2r1
- DKER-EE-001050 - TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
- DKER-EE-001070 - FIPS mode must be enabled on all Docker Engine - Enterprise nodes - docker info .SecurityOptions
- DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker paths
- DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker services
- DKER-EE-001190 - Docker Enterprise sensitive host system directories must not be mounted on containers.
- DKER-EE-001240 - The Docker Enterprise hosts process namespace must not be shared.
-
DISA STIG Edge v1r4
- EDGE-00-000001 - User control of proxy settings must be disabled.
- EDGE-00-000002 - Bypassing Microsoft Defender SmartScreen prompts for sites must be disabled.
- EDGE-00-000003 - Bypassing of Microsoft Defender SmartScreen warnings about downloads must be disabled.
- EDGE-00-000004 - The list of domains for which Microsoft Defender SmartScreen will not trigger warnings must be whitelisted if used.
- EDGE-00-000005 - InPrivate mode must be disabled.
- EDGE-00-000006 - Background processing must be disabled.
-
DISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r1
- DKER-EE-001000 - The Docker Enterprise Per User Limit Login Session Control in the Universal Control Plane (UCP) Admin Settings must be set to an organization-defined value for all accounts and/or account types.
- DKER-EE-001080 - The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.
- DKER-EE-001100 - LDAP integration in Docker Enterprise must be configured.
- DKER-EE-001170 - A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
- DKER-EE-001180 - A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set - team member access
- DKER-EE-001870 - The Docker Enterprise self-signed certificates in Universal Control Plane (UCP) must be replaced with DoD trusted, signed certificates.
-
DISA STIG Docker Enterprise 2.x Linux/Unix DTR v2r1
- DKER-EE-001180 - A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set - repositoryAccess
- DKER-EE-001880 - The Docker Enterprise self-signed certificates in Docker Trusted Registry (DTR) must be replaced with DoD trusted, signed certificates.
- DKER-EE-001900 - The Create repository on push option in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.
- DKER-EE-001920 - Periodic data usage and analytics reporting in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.
- DKER-EE-003840 - Vulnerability scanning must be enabled for all repositories in the Docker Trusted Registry (DTR) component of Docker Enterprise.
- DKER-EE-003930 - Docker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.
-
DISA STIG Cisco Perimeter Router v8r32
- NET-IPV6-004 - IPv6 Router Advertisements must be suppressed.
- NET-IPV6-006 - Undetermined transport is not blocked
- NET-IPV6-008 - IPV6 Bogons are not blocked - 'deny ipv6 3FFE::/16 any log'
- NET-IPV6-008 - IPV6 Bogons are not blocked - 'deny ipv6 any 3FFE::/16 log'
- NET-IPV6-008 - IPV6 Bogons are not blocked - 'Ingress IPv6 traffic-filter'
- NET-IPV6-010 - Inbound ICMPv6 messages are not blocked - 'deny icmp any any fragments log'
-
DISA STIG Cisco Perimeter L3 Switch v8r32
- NET-IPV6-004 - IPv6 Router Advertisements must be suppressed.
- NET-IPV6-006 - Undetermined transport is not blocked
- NET-IPV6-008 - IPV6 Bogons are not blocked - 'deny ipv6 3FFE::/16 any log'
- NET-IPV6-008 - IPV6 Bogons are not blocked - 'deny ipv6 any 3FFE::/16 log'
- NET-IPV6-008 - IPV6 Bogons are not blocked - 'Ingress IPv6 traffic-filter'
- NET-IPV6-010 - Inbound ICMPv6 messages are not blocked - 'deny icmp any any fragments log'
-
DISA STIG Cisco NX-OS Switch RTR v2r1
- CISC-RT-000010 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - bgp
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - eigrp
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - is-is
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - ospf
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - rip
-
DISA STIG Cisco NX-OS Switch Level 2S v2r1
- CISC-L2-000010 - The Cisco switch must be configured to disable non-essential capabilities.
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - aaa authentication
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - aaa group
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - dot1x port-control auto
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - interface dot1x
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - radius server
-
DISA STIG Cisco NX-OS Switch NDM v2r3
- CISC-ND-000010 - The Cisco switch must be configured to limit the number of concurrent management sessions to an organization-defined number.
- CISC-ND-000090 - The Cisco switch must be configured to automatically audit account creation - aaa accounting default group
- CISC-ND-000090 - The Cisco switch must be configured to automatically audit account creation - servers
- CISC-ND-000100 - The Cisco switch must be configured to automatically audit account modification - aaa accounting default group
- CISC-ND-000100 - The Cisco switch must be configured to automatically audit account modification - servers
- CISC-ND-000110 - The Cisco switch must be configured to automatically audit account disabling actions - aaa accounting default group
-
DISA STIG Cisco Level 2 Switch V8R27
- NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - '802.1x authentication'
- NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - 'aaa authentication'
- NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - 'radius-server host'
- NET-NAC-009 - The switch must be configured to use 802.1x authentication on host facing access switch ports - 'system-auth-control'
- NET-NAC-031 - The switch must only allow a maximum of one registered MAC address per access port.
- NET-NAC-032 - Switchport does not shutdown on a violation
-
DISA STIG Cisco IOS-XR Router RTR v2r1
- CISC-RT-000010 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies - ip access-group
- CISC-RT-000010 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies - ip access-list extended
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - BGP
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - EIGRP
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - IS-IS
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - OSPF
-
DISA STIG Cisco IOS-XR Router NDM v2r2
- CISC-ND-000010 - The Cisco router must be configured to limit the number of concurrent management sessions to an organization-defined number.
- CISC-ND-000140 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies - access-class deny
- CISC-ND-000140 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies - access-class permit
- CISC-ND-000140 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies - line default
- CISC-ND-000140 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of management information within the device based on control policies - vty-pool
- CISC-ND-000150 - The Cisco router must be configured to enforce the limit of three consecutive invalid logon attempts after which time lock out the user account from accessing the device for 15 minutes - aaa auth
-
DISA STIG Cisco IOS XE Switch RTR v2r1
- CISC-RT-000010 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - bgp
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - eigrp
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - is-is
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - ospf
- CISC-RT-000030 - The Cisco switch must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
-
DISA STIG Cisco IOS XE Switch NDM v2r2
- CISC-ND-000010 - The Cisco switch must be configured to limit the number of concurrent management sessions to an organization-defined number - ip http max connections
- CISC-ND-000010 - The Cisco switch must be configured to limit the number of concurrent management sessions to an organization-defined number - session-limit
- CISC-ND-000090 - The Cisco switch must be configured to automatically audit account creation.
- CISC-ND-000100 - The Cisco switch must be configured to automatically audit account modification.
- CISC-ND-000110 - The Cisco switch must be configured to automatically audit account disabling actions.
- CISC-ND-000120 - The Cisco switch must be configured to automatically audit account removal actions.
-
DISA STIG Cisco IOS XE Switch Level 2S v2r2
- CISC-L2-000010 - The Cisco switch must be configured to disable non-essential capabilities - no ip boot server
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - aaa authentication
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - aaa group
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - aaa new-model
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - dot1x system-auth-control
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - interface dot1x
-
DISA STIG Cisco IOS XE Router RTR v2r3
- CISC-RT-000010 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies - ip access-group
- CISC-RT-000010 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies - ip access-list extended
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - BGP
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - EIGRP
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - IS-IS
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - OSPF
-
DISA STIG Cisco IOS XE Router NDM v2r3
- CISC-ND-000010 - The Cisco router must be configured to limit the number of concurrent management sessions to an organization-defined number - ip http max-connections
- CISC-ND-000010 - The Cisco router must be configured to limit the number of concurrent management sessions to an organization-defined number - session-limit
- CISC-ND-000090 - The Cisco router must be configured to automatically audit account creation.
- CISC-ND-000100 - The Cisco router must be configured to automatically audit account modification.
- CISC-ND-000110 - The Cisco router must be configured to automatically audit account disabling actions.
- CISC-ND-000120 - The Cisco router must be configured to automatically audit account removal actions.
-
DISA STIG Cisco IOS Switch RTR v2r1
- CISC-RT-000010 - The Cisco switch must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - bgp
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - eigrp
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - is-is
- CISC-RT-000020 - The Cisco switch must be configured to implement message authentication for all control plane protocols - ospf
- CISC-RT-000030 - The Cisco switch must be configured to use keys with a duration not exceeding 180 days for authenticating routing protocol messages.
-
DISA STIG Cisco IOS Switch NDM v2r3
- CISC-ND-000010 - The Cisco switch must be configured to limit the number of concurrent management sessions to an organization-defined number - ip http max connections
- CISC-ND-000010 - The Cisco switch must be configured to limit the number of concurrent management sessions to an organization-defined number.
- CISC-ND-000090 - The Cisco switch must be configured to automatically audit account creation.
- CISC-ND-000100 - The Cisco switch must be configured to automatically audit account modification.
- CISC-ND-000110 - The Cisco switch must be configured to automatically audit account disabling actions.
- CISC-ND-000120 - The Cisco switch must be configured to automatically audit account removal actions.
-
DISA STIG Cisco IOS Router RTR v2r1
- CISC-RT-000010 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies - ip access-group
- CISC-RT-000010 - The Cisco router must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies - ip access-list extended
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - BGP
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - EIGRP
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - IS-IS
- CISC-RT-000020 - The Cisco router must be configured to implement message authentication for all control plane protocols - OSPF
-
DISA STIG Cisco IOS Switch Level 2S v2r2
- CISC-L2-000010 - The Cisco switch must be configured to disable non-essential capabilities - no ip boot server
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - aaa authentication
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - aaa group
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - aaa new-model
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - dot1x system-auth-control
- CISC-L2-000020 - The Cisco switch must uniquely identify all network-connected endpoint devices before establishing any connection - interface dot1x
-
DISA STIG Cisco IOS Router NDM v2r3
- CISC-ND-000010 - The Cisco router must be configured to limit the number of concurrent management sessions to an organization-defined number - ip http max-connections
- CISC-ND-000010 - The Cisco router must be configured to limit the number of concurrent management sessions to an organization-defined number - session-limit
- CISC-ND-000090 - The Cisco router must be configured to automatically audit account creation.
- CISC-ND-000100 - The Cisco router must be configured to automatically audit account modification.
- CISC-ND-000110 - The Cisco router must be configured to automatically audit account disabling actions.
- CISC-ND-000120 - The Cisco router must be configured to automatically audit account removal actions.
-
DISA STIG Cisco Infrastructure Router v8r29
- NET-IPV6-025 - IPv6 Site Local Unicast ADDR must not be defined
- NET-IPV6-033 - IPv6 routers are not configured with CEF enabled
- NET-IPV6-034 - IPv6 Egress Outbound Spoofing Filter - 'deny ipv6 any any log'
- NET-IPV6-034 - IPv6 Egress Outbound Spoofing Filter - 'ipv6 verify unicast source reachable-via rx OUTBOUND_TO_BACKBONE'
- NET-IPV6-059 - Maximum hop limit is less than 32
- NET-IPV6-065 - The 6-to-4 router is not filtering protocol 41 - 'ip access-group IPV4_EGRESS_FILTER'
-
DISA STIG Cisco Infrastructure L3 Switch v8r29
- NET-IPV6-025 - IPv6 Site Local Unicast ADDR must not be defined
- NET-IPV6-033 - IPv6 routers are not configured with CEF enabled
- NET-IPV6-034 - IPv6 Egress Outbound Spoofing Filter - 'deny ipv6 any any log'
- NET-IPV6-034 - IPv6 Egress Outbound Spoofing Filter - 'ipv6 verify unicast source reachable-via rx OUTBOUND_TO_BACKBONE'
- NET-IPV6-059 - Maximum hop limit is less than 32
- NET-IPV6-065 - The 6-to-4 router is not filtering protocol 41 - 'ip access-group IPV4_EGRESS_FILTER'
-
DISA STIG Cisco Firewall v8r25
- NET-IPV6-004 - Router advertisements must be suppressed on all external-facing IPv6-enabled interfaces.
- NET-IPV6-005 - The IAO must ensure firewalls deployed in an IPv6 enclave meet the requirements defined by DITO and NSA milestone objective 3
- NET-IPV6-024 - IPv6 6-to-4 addresses with a prefix of 2002::/16 must be filtered at the perimeter. - 2002 inbound
- NET-IPV6-024 - IPv6 6-to-4 addresses with a prefix of 2002::/16 must be filtered at the perimeter. - 2002 outbound
- NET-IPV6-025 - The network device must be configured to ensure IPv6 Site Local Unicast addresses are not defined in the enclave
- NET-IPV6-035 - IPv6 Jumbo Payload hop by hop header must be blocked.
-
DISA STIG Cisco ASA VPN v1r1
- CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred. - svc
- CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred. - vpn
- CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred. - vpnc
- CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred. - vpnfo
- CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred. - webfo
- CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred. - webvpn
-
DISA STIG Cisco ASA FW v1r1
- CASA-FW-000010 - The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services. - ACL Applied
- CASA-FW-000010 - The Cisco ASA must be configured to filter outbound traffic, allowing only authorized ports and services. - ingress ACL
- CASA-FW-000020 - The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones.
- CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules. - VPN Group Policy
- CASA-FW-000030 - The Cisco ASA must be configured to restrict VPN traffic according to organization-defined filtering rules. - VPN Rules
- CASA-FW-000040 - The Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred. - Log Parameters
-
DISA STIG Cisco ASA NDM v1r1
- CASA-ND-000010 - The Cisco ASA must be configured to limit the number of concurrent management sessions to an organization-defined number.
- CASA-ND-000090 - The Cisco ASA must be configured to automatically audit account creation. - Buffer Enabled
- CASA-ND-000090 - The Cisco ASA must be configured to automatically audit account creation. - logging enable
- CASA-ND-000100 - The Cisco ASA must be configured to automatically audit account modification. - Buffer Enabled
- CASA-ND-000100 - The Cisco ASA must be configured to automatically audit account modification. - logging enabled
- CASA-ND-000110 - The Cisco ASA must be configured to automatically audit account disabling actions. - Buffer Enabled
-
DISA STIG Arista MLS DCS-7000 Series RTR v1r3
- AMLS-L3-000100 - The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.
- AMLS-L3-000110 - The Arista Multilayer Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.
- AMLS-L3-000120 - The Arista Multilayer Switch must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled - PIM neighbor filter to interfaces that have PIM enabled.
- AMLS-L3-000130 - The Arista Multilayer Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.
- AMLS-L3-000140 - The Arista Multilayer Switch must be configured so inactive router interfaces are disabled.
- AMLS-L3-000150 - The Arista Multilayer Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.
-
DISA STIG Arista MLS DCS-7000 Series NDM v1r3
- AMLS-NM-000100 - The Arista Multilayer Switch must have a local infrequently used account to be used as an account of last resort with full access to the network device.
- AMLS-NM-000110 - The Arista Multilayer Switch account of last resort must have a password with a length of 15 characters.
- AMLS-NM-000120 - The Arista Multilayer Switch must automatically audit account creation.
- AMLS-NM-000130 - The Arista Multilayer Switch must automatically audit account modification.
- AMLS-NM-000140 - The Arista Multilayer Switch must automatically audit account disabling actions.
- AMLS-NM-000150 - The Arista Multilayer Switch must automatically audit account removal actions.
-
DISA STIG Arista MLS DCS-7000 Series Level 2S v1r2
- AMLS-L2-000100 - The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.
- AMLS-L2-000110 - The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
- AMLS-L2-000120 - The Arista Multilayer Switch must uniquely identify all network-connected endpoint devices before establishing any connection - aaa auth dot1x default group
- AMLS-L2-000120 - The Arista Multilayer Switch must uniquely identify all network-connected endpoint devices before establishing any connection - dot1x system-auth-control
- AMLS-L2-000130 - The Arista Multilayer Switch must authenticate all endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based - aaa authentication dot1x default group
- AMLS-L2-000130 - The Arista Multilayer Switch must authenticate all endpoint devices before establishing a network connection using bidirectional authentication that is cryptographically based - dot1x system-auth-control
-
DISA STIG Apple Mac OSX 10.15 v1r7
- AOSX-15-000001 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.
- AOSX-15-000002 - The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
- AOSX-15-000003 - The macOS system must initiate the session lock no more than five seconds after a screen saver is started.
- AOSX-15-000004 - The macOS system must initiate a session lock after a 15-minute period of inactivity.
- AOSX-15-000005 - The macOS system must be configured to lock the user session when a smart token is removed.
- AOSX-15-000006 - The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
-
DISA STIG Apple macOS 11 v1r5
- APPL-11-000001 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.
- APPL-11-000002 - The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
- APPL-11-000003 - The macOS system must initiate the session lock no more than five seconds after a screen saver is started.
- APPL-11-000004 - The macOS system must initiate a session lock after a 15-minute period of inactivity.
- APPL-11-000005 - The macOS system must be configured to lock the user session when a smart token is removed.
- APPL-11-000006 - The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
-
DISA STIG Apple Mac OSX 10.14 v2r5
- AOSX-14-000001 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.
- AOSX-14-000002 - The macOS system must retain the session lock until the user reestablishes access using established identification and authentication procedures.
- AOSX-14-000003 - The macOS system must initiate the session lock no more than five seconds after a screen saver is started.
- AOSX-14-000004 - The macOS system must initiate a session lock after a 15-minute period of inactivity.
- AOSX-14-000005 - The macOS system must be configured to lock the user session when a smart token is removed.
- AOSX-14-000006 - The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
-
DISA STIG Apple Mac OSX 10.13 v2r3
- AOSX-13-000005 - The macOS system must conceal, via the session lock, information previously visible on the display with a publicly viewable image.
- AOSX-13-000006 - The macOS system must be configured to disable hot corners - wvous-bl-corner
- AOSX-13-000006 - The macOS system must be configured to disable hot corners - wvous-br-corner
- AOSX-13-000006 - The macOS system must be configured to disable hot corners - wvous-tl-corner
- AOSX-13-000006 - The macOS system must be configured to disable hot corners - wvous-tr-corner
- AOSX-13-000007 - The macOS system must be configured to prevent Apple Watch from terminating a session lock.
-
DISA STIG Apache Tomcat Application Server 9 v2r3 Middleware
- TCAT-AS-000010 - The number of allowed simultaneous sessions to the manager application must be limited.
- TCAT-AS-000020 - Secured connectors must be configured to use strong encryption ciphers.
- TCAT-AS-000030 - HTTP Strict Transport Security (HSTS) must be enabled.
- TCAT-AS-000040 - TLS 1.2 must be used on secured HTTP connectors.
- TCAT-AS-000050 - AccessLogValve must be configured for each application context.
- TCAT-AS-000060 - Default password for keystore must be changed.
-
DISA STIG Apache Site 2.2 Windows v1r13
- WA00605 W22 - Error logging must be enabled.
- WA00605 W22 - Error logging must be enabled.
- WA00612 W22 - The sites error logs must log the correct format.
- WA00612 W22 - The sites error logs must log the correct format.
- WA00615 W22 - System logging must be enabled. - 'CustomLog'
- WA00615 W22 - System logging must be enabled. - 'CustomLog'
-
DISA STIG Apache Tomcat Application Server 9 v2r3
- TCAT-AS-000010 - The number of allowed simultaneous sessions to the manager application must be limited.
- TCAT-AS-000010 - The number of allowed simultaneous sessions to the manager application must be limited.
- TCAT-AS-000020 - Secured connectors must be configured to use strong encryption ciphers.
- TCAT-AS-000020 - Secured connectors must be configured to use strong encryption ciphers.
- TCAT-AS-000030 - HTTP Strict Transport Security (HSTS) must be enabled.
- TCAT-AS-000030 - HTTP Strict Transport Security (HSTS) must be enabled.
-
DISA STIG Apache Site 2.2 Unix v1r11 Middleware
- WA00605 A22 - Error logging must be enabled.
- WA00605 A22 - Error logging must be enabled.
- WA00612 A22 - The sites error logs must log the correct format.
- WA00612 A22 - The sites error logs must log the correct format.
- WA00615 A22 - System logging must be enabled.
- WA00615 A22 - System logging must be enabled.
-
DISA STIG Apache Site 2.2 Unix v1r11
- WA00605 A22 - Error logging must be enabled.
- WA00605 A22 - Error logging must be enabled.
- WA00612 A22 - The sites error logs must log the correct format.
- WA00612 A22 - The sites error logs must log the correct format.
- WA00615 A22 - System logging must be enabled.
- WA00615 A22 - System logging must be enabled.
-
DISA STIG Apache Server 2.4 Windows Site v2r1
- AS24-W2-000010 - The Apache web server must limit the number of allowed simultaneous session requests.
- AS24-W2-000010 - The Apache web server must limit the number of allowed simultaneous session requests.
- AS24-W2-000020 - The Apache web server must perform server-side session management.
- AS24-W2-000020 - The Apache web server must perform server-side session management.
- AS24-W2-000090 - The Apache web server must produce log records containing sufficient information to establish what type of events occurred.
- AS24-W2-000090 - The Apache web server must produce log records containing sufficient information to establish what type of events occurred.
-
DISA STIG Apache Server 2.4 Windows Server v2r2
- AS24-W1-000010 - The Apache web server must limit the number of allowed simultaneous session requests.
- AS24-W1-000010 - The Apache web server must limit the number of allowed simultaneous session requests.
- AS24-W1-000020 - The Apache web server must perform server-side session management - session_module
- AS24-W1-000020 - The Apache web server must perform server-side session management - session_module
- AS24-W1-000020 - The Apache web server must perform server-side session management - usertrack_module
- AS24-W1-000020 - The Apache web server must perform server-side session management - usertrack_module
-
DISA STIG Apache Server 2.4 Unix Site v2r2 Middleware
- AS24-U2-000020 - The Apache web server must perform server-side session management - session_module
- AS24-U2-000020 - The Apache web server must perform server-side session management - session_module
- AS24-U2-000020 - The Apache web server must perform server-side session management - usertrack_module
- AS24-U2-000020 - The Apache web server must perform server-side session management - usertrack_module
- AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided - SSLProtocol
- AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided - SSLProtocol
-
DISA STIG Apache Server 2.4 Unix Site v2r2
- AS24-U2-000020 - The Apache web server must perform server-side session management - session_module
- AS24-U2-000020 - The Apache web server must perform server-side session management - session_module
- AS24-U2-000020 - The Apache web server must perform server-side session management - usertrack_module
- AS24-U2-000020 - The Apache web server must perform server-side session management - usertrack_module
- AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided - SSLProtocol
- AS24-U2-000030 - The Apache web server must use encryption strength in accordance with the categorization of data hosted by the Apache web server when remote connections are provided - SSLProtocol
-
DISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
- AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - KeepAlive
- AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - KeepAlive
- AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - MaxKeepAliveRequests
- AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - MaxKeepAliveRequests
- AS24-U1-000020 - The Apache web server must perform server-side session management - httpd
- AS24-U1-000020 - The Apache web server must perform server-side session management - httpd
-
DISA STIG Apache Server 2.4 Unix Server v2r5
- AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - KeepAlive
- AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - KeepAlive
- AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - MaxKeepAliveRequests
- AS24-U1-000010 - The Apache web server must limit the number of allowed simultaneous session requests - MaxKeepAliveRequests
- AS24-U1-000020 - The Apache web server must perform server-side session management - httpd
- AS24-U1-000020 - The Apache web server must perform server-side session management - httpd
-
DISA STIG Apache Server 2.2 Windows v1r13
- WA000-WWA020 W22 - The Timeout directive must be properly set.
- WA000-WWA020 W22 - The Timeout directive must be properly set.
- WA000-WWA022 W22 - The KeepAlive directive must be enabled.
- WA000-WWA022 W22 - The KeepAlive directive must be enabled.
- WA000-WWA024 W22 - The KeepAliveTimeout directive must be defined.
- WA000-WWA024 W22 - The KeepAliveTimeout directive must be defined.
-
DISA STIG Apache Server 2.2 Unix v1r11 Middleware
- WA000-WWA020 A22 - The Timeout directive must be properly set.
- WA000-WWA020 A22 - The Timeout directive must be properly set.
- WA000-WWA022 A22 - The KeepAlive directive must be enabled.
- WA000-WWA022 A22 - The KeepAlive directive must be enabled.
- WA000-WWA024 A22 - The KeepAliveTimeout directive must be defined.
- WA000-WWA024 A22 - The KeepAliveTimeout directive must be defined.
-
DISA STIG Apache Server 2.2 Unix v1r11
- WA000-WWA020 A22 - The Timeout directive must be properly set.
- WA000-WWA020 A22 - The Timeout directive must be properly set.
- WA000-WWA022 A22 - The KeepAlive directive must be enabled.
- WA000-WWA022 A22 - The KeepAlive directive must be enabled.
- WA000-WWA024 A22 - The KeepAliveTimeout directive must be defined.
- WA000-WWA024 A22 - The KeepAliveTimeout directive must be defined.
-
DISA STIG AIX 7.x v2r3
- AIX7-00-001000 - AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account.
- AIX7-00-001000 - AIX /etc/security/mkuser.sys.custom file must not exist unless it is needed for customizing a new user account.
- AIX7-00-001001 - AIX must automatically remove or disable temporary user accounts after 72 hours or sooner.
- AIX7-00-001001 - AIX must automatically remove or disable temporary user accounts after 72 hours or sooner.
- AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.
- AIX7-00-001003 - AIX must enforce the limit of three consecutive invalid login attempts by a user before the user account is locked and released by an administrator.
-
DISA STIG AIX 6.1 v1r14
- GEN000000-AIX00020 - AIX Trusted Computing Base (TCB) software must be implemented.
- GEN000000-AIX00020 - AIX Trusted Computing Base (TCB) software must be implemented.
- GEN000000-AIX00040 - The securetcpip command must be used - /etc/security/config has been configured
- GEN000000-AIX00040 - The securetcpip command must be used - /etc/security/config has been configured
- GEN000000-AIX00040 - The securetcpip command must be used.
- GEN000000-AIX00040 - The securetcpip command must be used.
-
DISA STIG AIX 5.3 v1r2
- GEN000000-AIX00020 - AIX Trusted Computing Base (TCB) software must be implemented.
- GEN000000-AIX00020 - AIX Trusted Computing Base (TCB) software must be implemented.
- GEN000000-AIX00040 - The securetcpip command must be used
- GEN000000-AIX00040 - The securetcpip command must be used
- GEN000000-AIX00060 - A baseline of AIX files with the TCB bit set must be checked weekly.
- GEN000000-AIX00060 - A baseline of AIX files with the TCB bit set must be checked weekly.
-
DISA STIG Adobe Acrobat Reader DC Continuous Track v2r1
- ARDC-CN-000005 - Adobe Reader DC must enable Enhanced Security in a Standalone Application.
- ARDC-CN-000005 - Adobe Reader DC must enable Enhanced Security in a Standalone Application.
- ARDC-CN-000010 - Adobe Reader DC must enable Enhanced Security in a Browser.
- ARDC-CN-000010 - Adobe Reader DC must enable Enhanced Security in a Browser.
- ARDC-CN-000015 - Adobe Reader DC must enable Protected Mode.
- ARDC-CN-000015 - Adobe Reader DC must enable Protected Mode.
-
DISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2
- ADBP-XI-000205 - Adobe Acrobat Pro XI Enhanced Security for standalone mode must be enabled.
- ADBP-XI-000205 - Adobe Acrobat Pro XI Enhanced Security for standalone mode must be enabled.
- ADBP-XI-000210 - Adobe Acrobat Pro XI Enhanced Security for browser mode must be enabled.
- ADBP-XI-000210 - Adobe Acrobat Pro XI Enhanced Security for browser mode must be enabled.
- ADBP-XI-000275 - Adobe Acrobat Pro XI PDF file attachments must be blocked.
- ADBP-XI-000275 - Adobe Acrobat Pro XI PDF file attachments must be blocked.
-
DISA STIG Adobe Acrobat Reader DC Classic Track v2r1
- ARDC-CL-000005 - Adobe Reader DC must enable Enhanced Security in a Standalone Application.
- ARDC-CL-000005 - Adobe Reader DC must enable Enhanced Security in a Standalone Application.
- ARDC-CL-000010 - Adobe Reader DC must enable Enhanced Security in a Browser.
- ARDC-CL-000010 - Adobe Reader DC must enable Enhanced Security in a Browser.
- ARDC-CL-000015 - Adobe Reader DC must enable Protected Mode.
- ARDC-CL-000015 - Adobe Reader DC must enable Protected Mode.
-
DISA STIG Adobe Acrobat Pro XI v1r2
-
DISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
- AADC-CN-000205 - Adobe Acrobat Pro DC Continuous Enhanced Security for standalone mode must be enabled.
- AADC-CN-000205 - Adobe Acrobat Pro DC Continuous Enhanced Security for standalone mode must be enabled.
- AADC-CN-000210 - Adobe Acrobat Pro DC Continuous Enhanced Security for browser mode must be enabled.
- AADC-CN-000210 - Adobe Acrobat Pro DC Continuous Enhanced Security for browser mode must be enabled.
- AADC-CN-000275 - Adobe Acrobat Pro DC Continuous PDF file attachments must be blocked.
- AADC-CN-000275 - Adobe Acrobat Pro DC Continuous PDF file attachments must be blocked.
-
DISA STIG Adobe Acrobat Pro DC Classic Track v2r1
- AADC-CL-000205 - Adobe Acrobat Pro DC Classic Enhanced Security for standalone mode must be enabled.
- AADC-CL-000205 - Adobe Acrobat Pro DC Classic Enhanced Security for standalone mode must be enabled.
- AADC-CL-000210 - Adobe Acrobat Pro DC Classic Enhanced Security for browser mode must be enabled.
- AADC-CL-000210 - Adobe Acrobat Pro DC Classic Enhanced Security for browser mode must be enabled.
- AADC-CL-000275 - Adobe Acrobat Pro DC Classic PDF file attachments must be blocked.
- AADC-CL-000275 - Adobe Acrobat Pro DC Classic PDF file attachments must be blocked.
-
DISA SLES 15 STIG v1r3
- SLES-15-010000 - The SUSE operating system must be a vendor-supported release.
- SLES-15-010000 - The SUSE operating system must be a vendor-supported release.
- SLES-15-010001 - The SUSE operating system must implement the Endpoint Security for Linux Threat Prevention tool - installed
- SLES-15-010001 - The SUSE operating system must implement the Endpoint Security for Linux Threat Prevention tool - installed
- SLES-15-010001 - The SUSE operating system must implement the Endpoint Security for Linux Threat Prevention tool - running
- SLES-15-010001 - The SUSE operating system must implement the Endpoint Security for Linux Threat Prevention tool - running
-
DISA SLES 12 STIG v2r2
- SLES-12-010000 - The SUSE operating system must be a vendor-supported release.
- SLES-12-010000 - The SUSE operating system must be a vendor-supported release.
- SLES-12-010010 - Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.
- SLES-12-010010 - Vendor-packaged SUSE operating system security patches and updates must be installed and up to date.
- SLES-12-010020 - The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface - title
- SLES-12-010020 - The SUSE operating system must display the Standard Mandatory DoD Notice and Consent Banner until users acknowledge the usage conditions and take explicit actions to log on for further access to the local graphical user interface - title
-
DISA RedHat JBoss EAP 6.3 STIG v2r2
- JBOS-AS-000010 - HTTP management session traffic must be encrypted.
- JBOS-AS-000010 - HTTP management session traffic must be encrypted.
- JBOS-AS-000015 - HTTPS must be enabled for JBoss web interfaces.
- JBOS-AS-000015 - HTTPS must be enabled for JBoss web interfaces.
- JBOS-AS-000025 - Java permissions must be set for hosted applications.
- JBOS-AS-000025 - Java permissions must be set for hosted applications.
-
DISA Red Hat Enterprise Linux 8 STIG v1r5
- RHEL-08-010000 - RHEL 8 must be a vendor-supported release.
- RHEL-08-010000 - RHEL 8 must be a vendor-supported release.
- RHEL-08-010001 - The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.
- RHEL-08-010001 - The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.
- RHEL-08-010010 - RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
- RHEL-08-010010 - RHEL 8 vendor packaged system security patches and updates must be installed and up to date.
-
DISA Red Hat Enterprise Linux 7 STIG v3r5
- RHEL-07-010010 - The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.
- RHEL-07-010010 - The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.
- RHEL-07-010020 - The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
- RHEL-07-010020 - The Red Hat Enterprise Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
- RHEL-07-010030 - The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
- RHEL-07-010030 - The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
-
DISA Red Hat Enterprise Linux 6 STIG v2r2
- RHEL-06-000001 - The system must use a separate file system for /tmp.
- RHEL-06-000002 - The system must use a separate file system for /var.
- RHEL-06-000003 - The system must use a separate file system for /var/log.
- RHEL-06-000004 - The system must use a separate file system for the system audit data path.
- RHEL-06-000005 - The audit system must alert designated staff members when the audit storage volume approaches capacity.
- RHEL-06-000007 - The system must use a separate file system for user home directories.
-
DISA Oracle MySQL 8.0 v1r2 OS Linux
- MYS8-00-000300 - MySQL Database Server 8.0 must produce audit records containing sufficient information to establish what type of events occurred - audit.log
- MYS8-00-000300 - MySQL Database Server 8.0 must produce audit records containing sufficient information to establish what type of events occurred - data directory
- MYS8-00-001200 - The audit information produced by the MySQL Database Server 8.0 must be protected from unauthorized read access - audit.log
- MYS8-00-001200 - The audit information produced by the MySQL Database Server 8.0 must be protected from unauthorized read access - data directory
- MYS8-00-001300 - The audit information produced by the MySQL Database Server 8.0 must be protected from unauthorized modification - audit.log
- MYS8-00-001300 - The audit information produced by the MySQL Database Server 8.0 must be protected from unauthorized modification - data directory
-
DISA Oracle Linux 7 STIG v2r5
- OL07-00-010010 - The Oracle Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.
- OL07-00-010020 - The Oracle Linux operating system must be configured so that the cryptographic hash of system files and commands matches vendor values.
- OL07-00-010030 - The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
- OL07-00-010040 - The Oracle Linux operating system must display the approved Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon.
- OL07-00-010050 - The Oracle Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon.
- OL07-00-010061 - The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.
-
DISA Oracle Linux 8 STIG v1r1
- OL08-00-010000 - OL 8 must be a vendor-supported release.
- OL08-00-010001 - The OL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool.
- OL08-00-010010 - OL 8 vendor-packaged system security patches and updates must be installed and up to date.
- OL08-00-010030 - All OL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at-rest protection.
- OL08-00-010040 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via an SSH logon. - /etc/issue
- OL08-00-010040 - OL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via an SSH logon. - /etc/ssh/sshd_config
-
DISA MS Windows Privileged Access Workstation v2r1
- WPAW-00-000100 - Administrators of high-value IT resources must complete required training.
- WPAW-00-000200 - Site IT resources designated as high value by the Authorizing Official (AO) must be remotely managed only via a Windows privileged access workstation (PAW) - AO must be remotely managed only via PAW
- WPAW-00-000400 - Administrative accounts of all high-value IT resources must be assigned to a specific administrative tier in Active Directory to separate highly privileged administrative accounts from less privileged administrative accounts.
- WPAW-00-000500 - A Windows PAW must only be used to manage high-value IT resources assigned to the same tier.
- WPAW-00-000600 - All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources.
- WPAW-00-000700 - The Windows PAW must be configured with a vendor-supported version of Windows 10 and applicable security patches that are DoD approved - CurrentBuild
-
DISA Microsoft Windows Firewall v2r1
- WNFWA-000001 - The Windows Firewall with Advanced Security must be enabled when connected to a domain.
- WNFWA-000002 - The Windows Firewall with Advanced Security must be enabled when connected to a private network.
- WNFWA-000003 - The Windows Firewall with Advanced Security must be enabled when connected to a public network.
- WNFWA-000004 - The Windows Firewall with Advanced Security must block unsolicited inbound connections when connected to a domain.
- WNFWA-000005 - The Windows Firewall with Advanced Security must allow outbound connections, unless a rule explicitly blocks the connection when connected to a domain.
- WNFWA-000009 - The Windows Firewall with Advanced Security log size must be configured for domain connections.
-
DISA Microsoft Windows 2012 Server DNS STIG v2r4
- WDNS-AC-000001 - The Windows 2012 DNS Server must restrict incoming dynamic update requests to known clients.
- WDNS-AU-000001 - The Windows 2012 DNS Server must be configured to record, and make available to authorized personnel, who added/modified/deleted DNS zone information.
- WDNS-AU-000003 - The Windows 2012 DNS Server must, in the event of an error validating another DNS servers identity, send notification to the DNS administrator.
- WDNS-AU-000005 - The Windows 2012 DNS Server log must be enabled.
- WDNS-AU-000006 - The Windows 2012 DNS Server logging must be enabled to record events from all DNS server functions.
- WDNS-AU-000007 - The Windows 2012 DNS Server logging criteria must only be configured by the ISSM or individuals appointed by the ISSM - manage
-
DISA Microsoft Exchange 2016 Mailbox Server STIG v2r4
- Authentication Failure
- DISA_STIG_Microsoft_Exchange_2016_Mailbox_Server_v2r4.audit from DISA Microsoft Exchange 2016 Mailbox Server v2r4 STIG
- EX16-MB-000010 - Exchange must have Administrator audit logging enabled.
- EX16-MB-000020 - Exchange servers must use approved DoD certificates.
- EX16-MB-000030 - Exchange auto-forwarding email to remote domains must be disabled or restricted.
- EX16-MB-000040 - Exchange Connectivity logging must be enabled.
-
DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r2
- Authentication Failure
- DISA_STIG_Microsoft_Exchange_2016_Edge_Transport_Server_v2r2.audit from DISA Microsoft Exchange 2016 Edge Transport Server v2r2 STIG
- EX16-ED-000010 - Exchange must limit the Receive connector timeout.
- EX16-ED-000020 - Exchange servers must use approved DoD certificates.
- EX16-ED-000030 - Exchange must have accepted domains configured.
- EX16-ED-000040 - Exchange must have auto-forwarding of email to remote domains disabled or restricted.
-
DISA Microsoft Exchange 2013 Mailbox Server STIG v2r1
- Authentication Failure
- DISA_STIG_Microsoft_Exchange_2013_Mailbox_Server_v2r1.audit from DISA Microsoft Exchange 2013 Mailbox Server v2r1 STIG
- EX13-MB-000005 - Exchange must have Administrator audit logging enabled.
- EX13-MB-000010 - Exchange Servers must use approved DoD certificates.
- EX13-MB-000015 - Exchange auto-forwarding email to remote domains must be disabled or restricted.
- EX13-MB-000020 - Exchange Connectivity logging must be enabled.
-
DISA Microsoft Exchange 2013 Edge Transport Server STIG v1r5
- Authentication Failure
- DISA_STIG_Microsoft_Exchange_2013_Edge_Transport_Server_v1r5.audit from DISA MS Exchange 2013 Edge Transport Server v1r5 STIG
- EX13-EG-000005 - Exchange must limit the Receive connector timeout.
- EX13-EG-000010 - Exchange servers must use approved DoD certificates.
- EX13-EG-000015 - Exchange must have accepted domains configured.
- EX13-EG-000025 - Exchange external Receive connectors must be domain secure-enabled.
-
DISA Microsoft Exchange 2013 Client Access Server STIG v1r3
- Authentication Failure
- DISA_STIG_Microsoft_Exchange_2013_Client_Access_Server_v1r3.audit from DISA MS Exchange 2013 Client Access Server v1r3 STIG
- EX13-CA-000005 - Exchange must use Encryption for RPC client access.
- EX13-CA-000010 - Exchange must use Encryption for OWA access.
- EX13-CA-000015 - Exchange must have Forms-based Authentication disabled.
- EX13-CA-000020 - Exchange must have authenticated access set to Integrated Windows Authentication only.
-
DISA McAfee VirusScan 8.8 Managed Client STIG v5r21
- DTAG008 - The antivirus signature file age must not exceed 7 days.
- DTAM001 - McAfee VirusScan On-Access General Policies must be configured to enable on-access scanning at system startup.
- DTAM002 - McAfee VirusScan On-Access General Policies must be configured to scan boot sectors.
- DTAM003 - McAfee VirusScan On-Access General Policies must be configured to scan floppy during shutdown.
- DTAM004 - McAfee VirusScan On-Access General Policies must be configured to notify local users when detections occur.
- DTAM005 - McAfee VirusScan On-Access General Policies must be configured to prevent users from removing messages from the list.
-
DISA McAfee VirusScan 8.8 Local Client STIG v5r16
- DTAG008 - The antivirus signature file age must not exceed 7 days.
- DTAM001 - McAfee VirusScan On-Access Scanner General Settings must be configured to enable on-access scanning at system startup.
- DTAM002 - McAfee VirusScan On-Access Scanner General Settings must be configured to scan boot sectors.
- DTAM003 - McAfee VirusScan On-Access Scanner General Settings must be configured to scan floppy during shutdown.
- DTAM004 - McAfee VirusScan On-Access Scanner General Settings must be configured to notify local users when detections occur.
- DTAM005 - McAfee VirusScan On-Access Scanner General Settings must be configured to prevent users from removing messages from the list.
-
DISA IIS 8.5 Site v2r1
- DISA_IIS_8.5_Web_Site_v2r1.audit from DISA STIG IIS 8.5 Site
- IISW-SI-000201 - The IIS 8.5 website session state must be enabled.
- IISW-SI-000202 - The IIS 8.5 website session state cookie settings must be configured to Use Cookies mode.
- IISW-SI-000203 - A private IIS 8.5 website must only accept Secure Socket Layer connections.
- IISW-SI-000204 - A public IIS 8.5 website must only accept Secure Socket Layer connections when authentication is required.
- IISW-SI-000205 - The enhanced logging for each IIS 8.5 website must be enabled and capture, record, and log all content related to a user session - Field Client IP Address
-
DISA IIS 8.5 Server v2r1
- IISW-SV-000100 - The IIS 8.5 web server remote authors or content providers must only use secure encrypted logons and connections to upload web server content.
- IISW-SV-000102 - The enhanced logging for the IIS 8.5 web server must be enabled and capture all user and web server events - Field Date
- IISW-SV-000102 - The enhanced logging for the IIS 8.5 web server must be enabled and capture all user and web server events - Field IP
- IISW-SV-000102 - The enhanced logging for the IIS 8.5 web server must be enabled and capture all user and web server events - Field Method
- IISW-SV-000102 - The enhanced logging for the IIS 8.5 web server must be enabled and capture all user and web server events - Field Query
- IISW-SV-000102 - The enhanced logging for the IIS 8.5 web server must be enabled and capture all user and web server events - Field Referer
-
DISA IIS 6.0 Web Server V6R16
-
DISA IIS 10.0 Site v2r1
- IIST-SI-000201 - The IIS 10.0 website session state must be enabled.
- IIST-SI-000202 - The IIS 10.0 website session state cookie settings must be configured to Use Cookies mode.
- IIST-SI-000203 - A private IIS 10.0 website must only accept Secure Socket Layer (SSL) connections.
- IIST-SI-000204 - A public IIS 10.0 website must only accept Secure Socket Layer (SSL) connections when authentication is required.
- IIST-SI-000206 - Both the log file and Event Tracing for Windows (ETW) for each IIS 10.0 website must be enabled.
- IIST-SI-000208 - An IIS 10.0 website behind a load balancer or proxy server must produce log records containing the source client IP, and destination information.
-
DISA IIS 10.0 Server v2r1
- IIST-SV-000100 - The IIS 10.0 web server remote authors or content providers must only use secure encrypted logons and connections to upload web server content.
- IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Date
- IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field IP
- IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Method
- IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Query
- IIST-SV-000102 - The enhanced logging for the IIS 10.0 web server must be enabled and capture all user and web server events - Field Referer
-
DISA IBM WebSphere Traditional 9 Windows STIG v1r1
- WBSP-AS-000010 - The WebSphere Application Server maximum in-memory session count must be set according to application requirements.
- WBSP-AS-000020 - The WebSphere Application Server admin console session timeout must be configured.
- WBSP-AS-000070 - The WebSphere Application Server security auditing must be enabled.
- WBSP-AS-000080 - WebSphere Application Server groups mapped to WebSphere auditor roles must be configured in accordance with security plan
- WBSP-AS-000090 - The WebSphere Application Server users WebSphere auditor role must be configured in accordance with System Security Plan.
- WBSP-AS-000100 - The WebSphere Application Server audit event type filters must be configured.
-
DISA IBM WebSphere Traditional 9 STIG v1r1
- WBSP-AS-000010 - The WebSphere Application Server maximum in-memory session count must be set according to application requirements.
- WBSP-AS-000020 - The WebSphere Application Server admin console session timeout must be configured.
- WBSP-AS-000070 - The WebSphere Application Server security auditing must be enabled.
- WBSP-AS-000080 - WebSphere Application Server groups mapped to WebSphere auditor roles must be configured in accordance with security plan
- WBSP-AS-000090 - The WebSphere Application Server users WebSphere auditor role must be configured in accordance with System Security Plan.
- WBSP-AS-000100 - The WebSphere Application Server audit event type filters must be configured.
-
DISA IBM WebSphere Traditional 9 STIG v1r1 Middleware
- WBSP-AS-000010 - The WebSphere Application Server maximum in-memory session count must be set according to application requirements.
- WBSP-AS-000020 - The WebSphere Application Server admin console session timeout must be configured.
- WBSP-AS-000070 - The WebSphere Application Server security auditing must be enabled.
- WBSP-AS-000080 - WebSphere Application Server groups mapped to WebSphere auditor roles must be configured in accordance with security plan
- WBSP-AS-000090 - The WebSphere Application Server users WebSphere auditor role must be configured in accordance with System Security Plan.
- WBSP-AS-000100 - The WebSphere Application Server audit event type filters must be configured.
-
DISA F5 BIG-IP Local Traffic Manager 11.x STIG v2r1
- F5BI-LT-000003 - The BIG-IP Core implementation must be configured to enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
- F5BI-LT-000023 - The BIG-IP Core implementation must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to virtual servers.
- F5BI-LT-000027 - The BIG-IP Core implementation must be configured to display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications.
- F5BI-LT-000029 - The BIG-IP Core implementation must be configured to limit the number of concurrent sessions to an organization-defined number for virtual servers - Connection Limit
- F5BI-LT-000029 - The BIG-IP Core implementation must be configured to limit the number of concurrent sessions to an organization-defined number for virtual servers - Connection Limit Rate
- F5BI-LT-000031 - The BIG-IP Core implementation must be configured to monitor inbound traffic for remote access policy compliance when accepting connections to virtual servers.
-
DISA F5 BIG-IP Application Security Manager 11.x STIG v1r1
- F5BI-AS-000031 - The BIG-IP ASM module supporting intermediary services for remote access communications traffic must ensure inbound traffic is monitored for compliance with remote access security policies.
- F5BI-AS-000039 - The BIG-IP ASM module must be configured to produce ASM Event Logs containing information to establish what type of unauthorized events occurred.
- F5BI-AS-000119 - The BIG-IP ASM module must be configured to automatically update malicious code protection mechanisms when providing content filtering to virtual servers.
- F5BI-AS-000167 - The BIG-IP ASM module must be configured to detect code injection attacks launched against application objects including, at a minimum, application URLs and application code, when providing content filtering to virtual servers.
- F5BI-AS-000229 - The BIG-IP ASM module must be configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives.
- F5BI-AS-000239 - The BIG-IP ASM module must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions.
-
DISA F5 BIG-IP Device Management 11.x STIG v2r1
- F5BI-DM-000003 - The BIG-IP appliance must limit the number of concurrent sessions to the Configuration Utility to 10 or an organization-defined number - 1 for each administrator account and/or administrator account type.
- F5BI-DM-000007 - The BIG-IP appliance must be configured to initiate a session lock after a 10-minute period of inactivity.
- F5BI-DM-000013 - The BIG-IP appliance must provide automated support for account management functions.
- F5BI-DM-000015 - The BIG-IP appliance must automatically remove or disable temporary user accounts after 72 hours.
- F5BI-DM-000017 - The BIG-IP appliance must automatically disable accounts after a 35-day period of account inactivity.
- F5BI-DM-000019 - The BIG-IP appliance must automatically audit account creation.
-
DISA F5 BIG-IP Advanced Firewall Manager 11.x STIG v1r1
- F5BI-AF-000039 - The BIG-IP AFM module must be configured to produce audit records containing information to establish what type of events occurred.
- F5BI-AF-000223 - The BIG-IP AFM module must be configured to only allow incoming communications from authorized sources routed to authorized destinations - Active FW Rules
- F5BI-AF-000223 - The BIG-IP AFM module must be configured to only allow incoming communications from authorized sources routed to authorized destinations - Security Policies
- F5BI-AF-000223 - The BIG-IP AFM module must be configured to only allow incoming communications from authorized sources routed to authorized destinations - Virtual Servers
- F5BI-AF-000229 - The BIG-IP AFM module must be configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives.
-
DISA F5 BIG-IP Access Policy Manager 11.x STIG v2r1
- F5BI-AP-000003 - The BIG-IP APM module must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies.
- F5BI-AP-000023 - The BIG-IP APM module must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to virtual servers.
- F5BI-AP-000025 - The BIG-IP APM module must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users accessing virtual servers acknowledge the usage conditions and take explicit actions to log on for further access.
- F5BI-AP-000027 - The BIG-IP APM module must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to publicly accessible applications.
- F5BI-AP-000073 - The BIG-IP APM module must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users) when connecting to virtual servers.
- F5BI-AP-000077 - The BIG-IP APM module must restrict user authentication traffic to specific authentication server(s) when providing user authentication to virtual servers - s when providing user auth to virtual servers.
-
DISA BIND 9.x STIG v2r2
- BIND-9X-000001 - A BIND 9.x server implementation must be running in a chroot(ed) directory structure.
- BIND-9X-001000 - A BIND 9.x server implementation must be operating on a Current-Stable version as defined by ISC.
- BIND-9X-001002 - The platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation.
- BIND-9X-001003 - The BIND 9.x server software must run with restricted privileges.
- BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface - drop
- BIND-9X-001004 - The host running a BIND 9.X implementation must implement a set of firewall rules that restrict traffic on the DNS interface - tcp
-
CIS Windows Server 2012 R2 MS Level 2 v2.5.0
- Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
- Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableInBand802DOT11Registrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableUPnPRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableWPDRegistrar
-
CIS Windows Server 2012 R2 MS Level 1 v2.5.0
- Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
- Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)
- Ensure 'Account lockout duration' is set to '15 or more minute(s)'
- Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'
- Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)
- Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
-
CIS Windows Server 2012 R2 DC Level 2 v2.5.0
- Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableInBand802DOT11Registrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableUPnPRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableWPDRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - EnableRegistrars
-
CIS Windows Server 2012 R2 DC Level 1 v2.5.0
- Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
- Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)
- Ensure 'Account lockout duration' is set to '15 or more minute(s)'
- Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'
- Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
- Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
-
CIS Windows Server 2012 MS Level 2 v2.2.0
- Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableInBand802DOT11Registrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableUPnPRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableWPDRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - EnableRegistrars
-
CIS Windows Server 2012 MS Level 1 v2.2.0
- Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
- Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)
- Ensure 'Account lockout duration' is set to '15 or more minute(s)'
- Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'
- Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)
- Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
-
CIS Windows Server 2012 DC Level 2 v2.2.0
- Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableInBand802DOT11Registrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableUPnPRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableWPDRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - EnableRegistrars
-
CIS Windows Server 2012 DC Level 1 v2.2.0
- Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
- Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)
- Ensure 'Account lockout duration' is set to '15 or more minute(s)'
- Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'
- Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
- Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'
-
CIS Windows 7 Workstation Level 2 v3.2.0
- Configure 'Log on as a service'
- Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
- Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableInBand802DOT11Registrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableUPnPRegistrar
-
CIS Windows 8 Level 1 v1.0.0
- Set 'Account lockout duration' to '15 or more minute(s)'
- Set 'Account lockout threshold' to '5 invalid logon attempt(s)'
- Set 'Audit Policy: Account Logon: Kerberos Authentication Service' to 'No Auditing'
- Set 'Audit Policy: Account Logon: Other Account Logon Events' to 'No Auditing'
- Set 'Audit Policy: Account Management: Application Group Management' to 'No Auditing'
- Set 'Audit Policy: Account Management: Computer Account Management' to 'No Auditing'
-
CIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
- Configure 'Log on as a service'
- Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')
- Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableInBand802DOT11Registrar
- Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableUPnPRegistrar
-
CIS Windows 7 Workstation Level 1 v3.2.0
- Configure 'Accounts: Rename administrator account'
- Configure 'Create symbolic links'
- Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
- Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'
- Ensure 'Account lockout duration' is set to '15 or more minute(s)'
- Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'
-
CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
- Configure 'Accounts: Rename administrator account'
- Configure 'Create symbolic links'
- Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'
- Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'
- Ensure 'Account lockout duration' is set to '15 or more minute(s)'
- Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'
-
CIS Windows 7 Workstation Bitlocker v3.2.0
- Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'
- Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'
- Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'
- Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'
- Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'
- Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'
-
CIS VMware ESXi 7.0 v1.1.0 Level 2 Bare Metal
-
CIS VMware ESXi 7.0 v1.1.0 Level 2
- Ensure Autologon is disabled
- Ensure BIOS BBS is disabled
- Ensure contents of exposed configuration files have not been modified
- Ensure Drag and Drop Version Get is disabled
- Ensure Drag and Drop Version Set is disabled
- Ensure GetCreds is disabled
-
CIS VMware ESXi 7.0 v1.1.0 Level 1 Bare Metal
- Ensure a centralized location is configured to collect ESXi host core dumps
- Ensure a non-root user account exists for local admin access
- Ensure Active Directory is used for local user authentication
- Ensure expired and revoked SSL certificates are removed from the ESXi server
- Ensure no unauthorized kernel modules are loaded on the host
- Ensure the Image Profile VIB acceptance level is configured properly
-
CIS VMware ESXi 7.0 v1.1.0 Level 1
- Ensure access to VMs through the dvfilter network APIs is configured correctly
- Ensure account lockout is set to 15 minutes
- Ensure bidirectional CHAP authentication for iSCSI traffic is enabled
- Ensure CIM access is limited
- Ensure DCUI has a trusted users list for lockdown mode
- Ensure dvfilter API is not configured if not used
-
CIS VMware ESXi 6.7 v1.2.0 Level 2 Bare Metal
-
CIS VMware ESXi 6.7 v1.2.0 Level 2
- Ensure all but VGA mode on virtual machines is disabled
- Ensure Autologon is disabled
- Ensure BIOS BBS is disabled
- Ensure contents of exposed configuration files have not been modified
- Ensure DCUI is disabled
- Ensure Drag and Drop Version Get is disabled
-
CIS VMware ESXi 6.7 v1.2.0 Level 1 Bare Metal
- Ensure a centralized location is configured to collect ESXi host core dumps
- Ensure a non-root user account exists for local admin access
- Ensure Active Directory is used for local user authentication
- Ensure expired and revoked SSL certificates are removed from the ESXi server
- Ensure no unauthorized kernel modules are loaded on the host
- Ensure the ESXi host firewall is configured to restrict access to services running on the host
-
CIS VMware ESXi 6.7 v1.2.0 Level 1
- Ensure access to VMs through the dvfilter network APIs is configured correctly
- Ensure account lockout is set to 15 minutes
- Ensure Active Directory is used for local user authentication
- Ensure bidirectional CHAP authentication for iSCSI traffic is enabled
- Ensure CIM access is limited
- Ensure DCUI has a trusted users list for lockdown mode
-
CIS VMware ESXi 6.5 v1.0.0 Level 2 Bare Metal
-
CIS VMware ESXi 6.5 v1.0.0 Level 2
- CIS VMware ESXi 6.5 v1.0.0 Level 2
- Ensure all but VGA mode on virtual machines is disabled
- Ensure Autologon is disabled
- Ensure BIOS BBS is disabled
- Ensure contents of exposed configuration files have not been modified
- Ensure DCUI is disabled
-
CIS VMware ESXi 6.5 v1.0.0 Level 1 Bare Metal
- Ensure a centralized location is configured to collect ESXi host core dumps
- Ensure a non-root user account exists for local admin access
- Ensure default self-signed certificate for ESXi communication is not used
- Ensure expired and revoked SSL certificates are removed from the ESXi server
- Ensure no unauthorized kernel modules are loaded on the host
- Ensure the ESXi host firewall is configured to restrict access to services running on the host
-
CIS VMware ESXi 6.5 v1.0.0 Level 1
- Ensure access to VMs through the dvfilter network APIs is configured correctly
- Ensure account lockout is set to 15 minutes
- Ensure Active Directory is used for local user authentication - Enabled = 'true'
- Ensure Active Directory is used for local user authentication - Review Domain
- Ensure bidirectional CHAP authentication for iSCSI traffic is enabled
- Ensure CIM access is limited
-
CIS VMware ESXi 5.5 v1.2.0 Level 1
- Configure a centralized location to collect ESXi host core dumps
- Configure NTP time synchronization
- Configure persistent logging for all ESXi host
- Configure remote logging for ESXi hosts
- Configure the ESXi host firewall to restrict access to services running on the host
- Control access to VMs through the dvfilter network APIs
-
CIS VMware ESXi 5.5 v1.2.0 Level 2
- Avoid using nonpersistent disks
- CIS VMware ESXi 5.5 v1.2.0 Level 2
- Disable all but VGA mode on virtual machines.
- Disable Autologon
- Disable BIOS BBS
- Disable DCUI to prevent local administrative control
-
CIS VMware ESXi 5.1 v1.0.1 Level 2
- Disable Autologon
- Disable BIOS BBS
- Disable DCUI to prevent local administrative control
- Disable Drag and Drop Version Get
- Disable Drag and Drop Version Set
- Disable GetCreds
-
CIS VMware ESXi 5.1 v1.0.1 Level 1
- Configure a centralized location to collect ESXi host core dumps
- Configure Host Profiles to monitor and alert on configuration changes
- Configure NTP time synchronization
- Configure persistent logging for all ESXi host
- Configure remote logging for ESXi hosts
- Configure the ESXi host firewall to restrict access to services running on the host
-
CIS v1.1.0 Oracle 11g OS Windows Level 1
- .htaccess - 'Verify and set permissions'
- dads.conf - 'Verify and set permissions'
- Database datafiles - 'Verify and restrict permissions'
- Files in $ORACLE_HOME/bin - 'Verify and set ownership'
- Files in $ORACLE_HOME/network/admin directory - 'Verify and set permissions'
- init.ora - 'audit_file_dest parameter settings'
-
CIS v1.1.0 Oracle 11g OS Level 2
- All associated application files - 'Verify permissions'
- cman.ora - 'remote_admin = NO'
- Encryption - 'If keys are stored in a table in the database, access to the keys should be limited under a secure role'
- Encryption - 'Use RAW or BLOB for the storage of encrypted data'
- Encryption - 'Where possible, use a procedure that employs a content data element as the encryption key that is unique for each record'
- init.ora - 'audit_sys_operations = TRUE'
-
CIS Ubuntu Linux 20.04 LTS Workstation Level 2 v1.1.0
- Disable Automounting
- Disable IPv6
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure all AppArmor Profiles are enforcing - complain
- Ensure all AppArmor Profiles are enforcing - loaded
-
CIS v1.1.0 Oracle 11g OS Level 1
- .htaccess - 'Verify and set permissions'
- dads.conf - 'Verify and set permissions'
- Database datafiles - 'Verify and restrict permissions'
- Database object definition NOLOGGING clause - 'Do not leave database objects in NOLOGGING mode in production environments.'
- Files in $ORACLE_HOME (not including $ORACLE_HOME/bin) - 'Permissions set to 0750 or less on Unix Systems'
- Files in $ORACLE_HOME/bin - '0755 or less'
-
CIS Ubuntu Linux 20.04 LTS Workstation Level 1 v1.1.0
- Ensure /dev/shm is configured
- Ensure /home partition includes the nodev option
- Ensure /tmp is configured
- Ensure /var/tmp partition includes the nodev option
- Ensure /var/tmp partition includes the noexec option
- Ensure /var/tmp partition includes the nosuid option
-
CIS Ubuntu Linux 20.04 LTS Server Level 2 v1.1.0
- Disable IPv6 - grub.cfg
- Disable IPv6 - sysctl net.ipv6.conf.all.disable_ipv6
- Disable IPv6 - sysctl net.ipv6.conf.default.disable_ipv6
- Disable IPv6 - sysctl.conf net.ipv6.conf.all.disable_ipv6
- Disable IPv6 - sysctl.conf net.ipv6.conf.default.disable_ipv6
- Ensure all AppArmor Profiles are enforcing - complain
-
CIS Ubuntu Linux 20.04 LTS Server Level 1 v1.1.0
- Disable Automounting
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure /dev/shm is configured
- Ensure /home partition includes the nodev option
- Ensure /tmp is configured
-
CIS Ubuntu Linux 18.04 LXD Host Level 2 Workstation v1.0.0
- Disable IPv6
- Ensure all AppArmor Profiles are enforcing - complain
- Ensure all AppArmor Profiles are enforcing - loaded
- Ensure all AppArmor Profiles are enforcing - unconfined
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
-
CIS Ubuntu Linux 18.04 LXD Host Level 2 Server v1.0.0
- Disable IPv6
- Ensure all AppArmor Profiles are enforcing - complain
- Ensure all AppArmor Profiles are enforcing - loaded
- Ensure all AppArmor Profiles are enforcing - unconfined
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
-
CIS Ubuntu Linux 18.04 LXD Host Level 2 LXD v1.0.0
-
CIS Ubuntu Linux 18.04 LXD Host Level 1 Workstation v1.0.0
- Ensure /tmp is configured
- Ensure address space layout randomization (ASLR) is enabled - config
- Ensure address space layout randomization (ASLR) is enabled - sysctl
- Ensure AIDE is installed
- Ensure authentication required for single user mode
- Ensure bootloader password is set - 'passwd_pbkdf2'
-
CIS Ubuntu Linux 18.04 LXD Host Level 1 Server v1.0.0
- Disable Automounting
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure /tmp is configured
- Ensure address space layout randomization (ASLR) is enabled - config
- Ensure address space layout randomization (ASLR) is enabled - sysctl
-
CIS Ubuntu Linux 18.04 LXD Host Level 1 LXD v1.0.0
- Ensure /tmp is configured
- Ensure mounting of cramfs filesystems is disabled - lsmod
- Ensure mounting of cramfs filesystems is disabled - modprobe
- Ensure mounting of freevxfs filesystems is disabled - lsmod
- Ensure mounting of freevxfs filesystems is disabled - modprobe
- Ensure mounting of hfs filesystems is disabled - lsmod
-
CIS Ubuntu Linux 18.04 LXD Container Level 2 v1.0.0
-
CIS Ubuntu Linux 18.04 LXD Container Level 1 v1.0.0
- Ensure /tmp is configured
- Ensure AIDE is installed
- Ensure all AppArmor Profiles are in enforce or complain mode - loaded
- Ensure all AppArmor Profiles are in enforce or complain mode - unconfined
- Ensure AppArmor is installed
- Ensure Avahi Server is not enabled
-
CIS Ubuntu Linux 18.04 LTS Workstation Level 2 v2.1.0
- Disable Automounting
- Disable IPv6
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure all AppArmor Profiles are enforcing - complain
- Ensure all AppArmor Profiles are enforcing - loaded
-
CIS Ubuntu Linux 18.04 LTS Workstation Level 1 v2.1.0
- Ensure /dev/shm is configured
- Ensure /home partition includes the nodev option
- Ensure /tmp is configured
- Ensure /var/tmp partition includes the nodev option
- Ensure /var/tmp partition includes the noexec option
- Ensure /var/tmp partition includes the nosuid option
-
CIS Ubuntu Linux 18.04 LTS Server Level 2 v2.1.0
- Disable IPv6
- Ensure all AppArmor Profiles are enforcing - complain
- Ensure all AppArmor Profiles are enforcing - loaded
- Ensure all AppArmor Profiles are enforcing - unconfined
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
-
CIS Ubuntu Linux 16.04 LTS Workstation Level 2 v2.0.0
- Disable Automounting
- Disable IPv6
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure all AppArmor Profiles are enforcing - complain
- Ensure all AppArmor Profiles are enforcing - loaded
-
CIS Ubuntu Linux 18.04 LTS Server Level 1 v2.1.0
- Disable Automounting
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure /dev/shm is configured
- Ensure /home partition includes the nodev option
- Ensure /tmp is configured
-
CIS Ubuntu Linux 16.04 LTS Workstation Level 1 v2.0.0
- Ensure /dev/shm is configured
- Ensure /home partition includes the nodev option
- Ensure /tmp is configured
- Ensure /var/tmp partition includes the nodev option
- Ensure /var/tmp partition includes the noexec option
- Ensure /var/tmp partition includes the nosuid option
-
CIS Ubuntu Linux 16.04 LTS Server Level 2 v2.0.0
- Disable IPv6
- Ensure all AppArmor Profiles are enforcing - complain
- Ensure all AppArmor Profiles are enforcing - loaded
- Ensure all AppArmor Profiles are enforcing - unconfined
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
-
CIS Ubuntu Linux 16.04 LTS Server Level 1 v2.0.0
- Disable Automounting
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure /dev/shm is configured
- Ensure /home partition includes the nodev option
- Ensure /tmp is configured
-
CIS Ubuntu Linux 14.04 LTS Workstation Level 2 v2.1.0
- Disable Automounting
- Ensure all AppArmor Profiles are enforcing
- Ensure all AppArmor Profiles are enforcing - 'complian mode'
- Ensure all AppArmor Profiles are enforcing - 'profiles loaded'
- Ensure all AppArmor Profiles are enforcing - 'unconfined processes'
- Ensure AppArmor is not disabled in bootloader configuration
-
CIS Ubuntu Linux 14.04 LTS Workstation Level 1 v2.1.0
- Ensure address space layout randomization (ASLR) is enabled
- Ensure address space layout randomization (ASLR) is enabled (sysctl.conf/sysctl.d)
- Ensure AIDE is installed
- Ensure authentication required for single user mode
- Ensure bootloader password is set - 'passwd_pbkdf2'
- Ensure bootloader password is set - 'set superusers'
-
CIS Ubuntu Linux 14.04 LTS Server Level 2 v2.1.0
- Ensure all AppArmor Profiles are enforcing
- Ensure all AppArmor Profiles are enforcing - 'complian mode'
- Ensure all AppArmor Profiles are enforcing - 'profiles loaded'
- Ensure all AppArmor Profiles are enforcing - 'unconfined processes'
- Ensure AppArmor is not disabled in bootloader configuration
- Ensure audit log storage size is configured
-
CIS Ubuntu Linux 14.04 LTS Server Level 1 v2.1.0
- Disable Automounting
- Ensure address space layout randomization (ASLR) is enabled
- Ensure address space layout randomization (ASLR) is enabled (sysctl.conf/sysctl.d)
- Ensure AIDE is installed
- Ensure authentication required for single user mode
- Ensure bootloader password is set - 'passwd_pbkdf2'
-
CIS Ubuntu 12.04 LTS Benchmark Level 2 v1.1.0
- Activate AppArmor - '0 processes unconfined'
- Activate AppArmor - '0 profiles in complain mode'
- Activate AppArmor - 'Profiles are loaded' - Review
- Collect Discretionary Access Control Permission Modification Events- '32bit chmod/fchmod/fchmodat'
- Collect Discretionary Access Control Permission Modification Events- '32bit chown/fchown/fchownat/lchown'
- Collect Discretionary Access Control Permission Modification Events- '32bit setxattr'
-
CIS Ubuntu 12.04 LTS Benchmark Level 1 v1.1.0
- Add nodev Option to /home
- Add nodev Option to /run/shm Partition
- Add nodev Option to Removable Media Partitions
- Add noexec Option to /run/shm Partition
- Add noexec Option to Removable Media Partitions
- Add nosuid Option to /run/shm Partition
-
CIS Sybase 15.0 Level 2 OS Windows v1.1.0
-
CIS Sybase 15.0 Level 2 OS Unix v1.1.0
-
CIS Sybase 15.0 Level 1 OS Windows v1.1.0
-
CIS SUSE Linux Enterprise Workstation 12 Level 2 v3.0.0
- Disable Automounting
- Disable IPv6 - grub.cfg
- Disable IPv6 - sysctl all disable_ipv6
- Disable IPv6 - sysctl default disable_ipv6
- Disable IPv6 - sysctl.conf all disable_ipv6
- Disable IPv6 - sysctl.conf default disable_ipv6
-
CIS SUSE Linux Enterprise Workstation 12 Level 1 v3.0.0
- Ensure /dev/shm is configured - fstab
- Ensure /dev/shm is configured - mount
- Ensure /tmp is configured - config check
- Ensure /tmp is configured - mount
- Ensure address space layout randomization (ASLR) is enabled - sysctl
- Ensure address space layout randomization (ASLR) is enabled - sysctl.conf
-
CIS SUSE Linux Enterprise Workstation 11 Level 2 v2.1.0
- Disable Automounting
- Ensure all AppArmor Profiles are enforcing - complain mode
- Ensure all AppArmor Profiles are enforcing - processes unconfined
- Ensure all AppArmor Profiles are enforcing - profiles loaded
- Ensure AppArmor is not disabled in bootloader configuration
- Ensure audit log storage size is configured
-
CIS SUSE Linux Enterprise Workstation 11 Level 1 v2.1.0
- Ensure address space layout randomization (ASLR) is enabled - /etc/sysctl
- Ensure address space layout randomization (ASLR) is enabled - sysctl
- Ensure AIDE is installed
- Ensure authentication required for single user mode
- Ensure bootloader password is set - password_pbkdf2
- Ensure bootloader password is set - superusers
-
CIS SUSE Linux Enterprise Server 12 Level 2 v3.0.0
- Disable IPv6 - grub.cfg
- Disable IPv6 - sysctl all disable_ipv6
- Disable IPv6 - sysctl default disable_ipv6
- Disable IPv6 - sysctl.conf all disable_ipv6
- Disable IPv6 - sysctl.conf default disable_ipv6
- Ensure all AppArmor Profiles are enforcing
-
CIS SUSE Linux Enterprise Server 12 Level 1 v3.0.0
- Disable Automounting
- Ensure /dev/shm is configured - fstab
- Ensure /dev/shm is configured - mount
- Ensure /tmp is configured - config check
- Ensure /tmp is configured - mount
- Ensure address space layout randomization (ASLR) is enabled - sysctl
-
CIS SUSE Linux Enterprise Server 11 Level 2 v2.1.0
- Ensure all AppArmor Profiles are enforcing - complain mode
- Ensure all AppArmor Profiles are enforcing - processes unconfined
- Ensure all AppArmor Profiles are enforcing - profiles loaded
- Ensure AppArmor is not disabled in bootloader configuration
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
-
CIS SUSE Linux Enterprise Server 11 Level 1 v2.1.0
- Disable Automounting
- Ensure address space layout randomization (ASLR) is enabled - /etc/sysctl
- Ensure address space layout randomization (ASLR) is enabled - sysctl
- Ensure AIDE is installed
- Ensure authentication required for single user mode
- Ensure bootloader password is set - password_pbkdf2
-
CIS SUSE Linux Enterprise 15 Workstation Level 2 v1.1.1
- Disable Automounting
- Disable IPv6 - grub.cfg
- Disable IPv6 - sysctl all disable_ipv6
- Disable IPv6 - sysctl default disable_ipv6
- Disable IPv6 - sysctl.conf all disable_ipv6
- Disable IPv6 - sysctl.conf default disable_ipv6
-
CIS SUSE Linux Enterprise 15 Workstation Level 1 v1.1.1
- Ensure /dev/shm is configured - fstab
- Ensure /dev/shm is configured - mount
- Ensure /tmp is configured
- Ensure address space layout randomization (ASLR) is enabled - sysctl
- Ensure address space layout randomization (ASLR) is enabled - sysctl.conf
- Ensure AIDE is installed
-
CIS SUSE Linux Enterprise 15 Server Level 2 v1.1.1
- Disable IPv6 - grub.cfg
- Disable IPv6 - sysctl all disable_ipv6
- Disable IPv6 - sysctl default disable_ipv6
- Disable IPv6 - sysctl.conf all disable_ipv6
- Disable IPv6 - sysctl.conf default disable_ipv6
- Ensure all AppArmor Profiles are enforcing - profiles enforce mode
-
CIS SUSE Linux Enterprise 15 Server Level 1 v1.1.1
- Disable Automounting
- Ensure /dev/shm is configured - fstab
- Ensure /dev/shm is configured - mount
- Ensure /tmp is configured
- Ensure address space layout randomization (ASLR) is enabled - sysctl
- Ensure address space layout randomization (ASLR) is enabled - sysctl.conf
-
CIS SQL Server 2017 Database Level 1 OS v1.2.0
- Ensure Single-Function Member Servers are Used
- Ensure the SQL Server's Full-Text Service Account is Not an Administrator
- Ensure the SQL Server's MSSQL Service Account is Not an Administrator
- Ensure the SQL Server's SQLAgent Service Account is Not an Administrator
- Ensure Unnecessary SQL Server Protocols are set to 'Disabled'
-
CIS SQL Server 2016 Database Level 1 OS v1.3.0
- Ensure Single-Function Member Servers are Used
- Ensure the SQL Server's Full-Text Service Account is Not an Administrator
- Ensure the SQL Server's MSSQL Service Account is Not an Administrator
- Ensure the SQL Server's SQLAgent Service Account is Not an Administrator
- Ensure Unnecessary SQL Server Protocols are set to 'Disabled'
-
CIS SQL Server 2014 Database Level 1 OS v1.5.0
- Ensure the SQL Server's Full-Text Service Account is Not an Administrator
- Ensure the SQL Server's MSSQL Service Account is Not an Administrator
- Ensure the SQL Server's SQLAgent Service Account is Not an Administrator
- Ensure Unnecessary SQL Server Protocols are set to 'Disabled' - 'Named Pipes protocol is disabled'
- Ensure Unnecessary SQL Server Protocols are set to 'Disabled' - 'Shared Memory protocol is disabled'
- Ensure Unnecessary SQL Server Protocols are set to 'Disabled' - 'TCP/IP protocol is disabled'
-
CIS SQL Server 2012 Database Level 1 OS v1.6.0
- Ensure Single-Function Member Servers are Used
- Ensure the SQL Server's Full-Text Service Account is Not an Administrator
- Ensure the SQL Server's MSSQL Service Account is Not an Administrator
- Ensure the SQL Server's SQLAgent Service Account is Not an Administrator
- Ensure Unnecessary SQL Server Protocols are set to 'Disabled'
-
CIS SQL Server 2008 R2 DB OS Level 1 v1.7.0
- Ensure 'Hide Instance' option is set to 'Yes' for Production SQL Server instances
- Ensure 'Maximum number of error log files' is set to greater than or equal to '12'
- Ensure SQL Server is configured to use non-standard ports
- Ensure the SQL Server's Full-Text Service Account is Not an Administrator
- Ensure the SQL Server's MSSQL Service Account is Not an Administrator
- Ensure the SQL Server's SQLAgent Service Account is Not an Administrator
-
CIS Solaris 9 v1.3
- Configure SSH - Check if Banner is not commented for server
- Configure SSH - Check if file permission for '/etc/ssh/sshd_config' are OK.
- Configure SSH - Check if IgnoreRhosts is set to yes and not commented for server.
- Configure SSH - Check if MaxAuthTries is set to 3 and not commented for server.
- Configure SSH - Check if MaxAuthTriesLog is set to 0 and not commented for server.
- Configure SSH - Check if PermitEmptyPasswords is set to no and not commented for server
-
CIS Solaris 11.2 Level 2 v1.1.0
-
CIS Solaris 11.1 Level 2 v1.0.0
-
CIS Solaris 11.2 Level 1 v1.1.0
- Configure sendmail Service for Local-Only Mode
- Configure TCP Wrappers - hosts.allow
- Configure TCP Wrappers - hosts.deny
- Configure TCP Wrappers - inetadm tcp_wrapers = true
- Configure TCP Wrappers - svcprop tcp_wrappers true
- Disable Apache Service
-
CIS Solaris 11.1 Level 1 v1.0.0
- Configure sendmail Service for Local-Only Mode
- Configure TCP Wrappers - hosts.allow
- Configure TCP Wrappers - svcprop tcp_wrappers false
- Disable Apache Service
- Disable automount Service
- Disable Generic Security Services (GSS)
-
CIS Solaris 11 Level 2 v1.1.0
-
CIS Solaris 11 Level 1 v1.1.0
- Configure sendmail Service for Local-Only Mode
- Configure TCP Wrappers - hosts.allow
- Configure TCP Wrappers - hosts.deny
- Configure TCP Wrappers - inetadm tcp_wrapers = true
- Configure TCP Wrappers - svcprop tcp_wrappers false
- Disable Apache Service
-
CIS Solaris 10 Level 2 v5.2
- Create symlinks for dangerous files - /.rhosts
- Create symlinks for dangerous files - /.shosts
- Create symlinks for dangerous files - /etc/hosts.equiv
- Enable process accounting at boot time
- Ensure Password Encryption Uses SHA algorithms 'CRYPT_ALGORITHMS_ALLOW'
- Ensure Password Encryption Uses SHA algorithms 'CRYPT_DEFAULT'
-
CIS Solaris 10 Level 1 v5.2
- Disable Apache services - Make sure that /etc/apache/httpd.conf does not exist. Note this check is only applicable for Apache 1.x
- Disable Apache services - Make sure that network/http:apache2 is disabled.
- Disable automount daemon - Make sure that /system/filesystem/autofs is disabled.
- Disable Generic Security Services (GSS) daemons - Make sure that /network/rpc/gss is disabled
- Disable Kerberos TGT Expiration Warning - Make sure that /network/security/ktkt_warn is disabled
- Disable LDAP Cache Manager - Make sure that /network/ldap/client is disabled
-
CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
- Disable Automounting
- Disable USB Storage - /bin/true
- Disable USB Storage - blacklist
- Ensure /tmp is configured - or equivalent.
- Ensure address space layout randomization (ASLR) is enabled - config
- Ensure address space layout randomization (ASLR) is enabled - sysctl
-
CIS Red Hat Enterprise Linux 7 STIG v2.0.0 Level 2 Workstation
- Disable Automounting
- Disable IPv6
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
-
CIS Red Hat Enterprise Linux 7 STIG v2.0.0 Level 2 Server
- Disable IPv6
- Disable the rhnsd Daemon
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
- Ensure auditd is installed - audit
- Ensure auditd is installed - audit-libs
-
CIS Red Hat Enterprise Linux 7 STIG v2.0.0 Level 1 Workstation
- Ensure /dev/shm is configured - fstab
- Ensure /dev/shm is configured - mount
- Ensure /home partition includes the nodev option
- Ensure /tmp is configured
- Ensure /var/tmp partition includes the nodev option
- Ensure /var/tmp partition includes the noexec option
-
CIS Red Hat Enterprise Linux 7 STIG v2.0.0 Level 1 Server
- Disable Automounting
- Disable the rhnsd Daemon
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure /dev/shm is configured - fstab
- Ensure /dev/shm is configured - mount
-
CIS Red Hat Enterprise Linux 5 Level 2 v2.2.1
- Check for Unconfined Daemons
- Collect Login and Logout Events - /var/log/btmp
- Collect Login and Logout Events - /var/log/faillog
- Collect Login and Logout Events - /var/log/lastlog
- Collect Login and Logout Events - /var/log/tallylog
- Configure Audit Log Storage Size
-
CIS Red Hat Enterprise Linux 5 Level 1 v2.2.1
- Add nodev Option to /dev/shm Partition
- Add nodev Option to Removable Media Partitions
- Add noexec Option to /dev/shm Partition
- Add noexec Option to Removable Media Partitions
- Add nosuid Option to /dev/shm Partition
- Add nosuid Option to Removable Media Partitions
-
CIS Red Hat EL8 Workstation Level 2 v1.0.1
- Disable Automounting
- Disable IPv6
- Disable USB Storage - modprobe
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
- Ensure auditd is installed - 'audit'
-
CIS Red Hat EL8 Workstation Level 1 v1.0.1
- Disable the rhnsd Daemon
- Ensure /tmp is configured - config check
- Ensure /tmp is configured - mount check
- Ensure address space layout randomization (ASLR) is enabled - sysctl
- Ensure address space layout randomization (ASLR) is enabled - sysctl.conf sysctl.d
- Ensure AIDE is installed
-
CIS Red Hat EL8 Server Level 2 v1.0.1
- Disable IPv6
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
- Ensure auditd is installed - 'audit'
- Ensure auditd is installed - 'audit-libs'
- Ensure auditd service is enabled
-
CIS Red Hat EL8 Server Level 1 v1.0.1
- Disable Automounting
- Disable the rhnsd Daemon
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure /tmp is configured - config check
- Ensure /tmp is configured - mount check
-
CIS Red Hat EL7 Workstation Level 2 v3.1.1
- Disable Automounting
- Disable IPv6
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
-
CIS Red Hat EL7 Server Level 2 v3.1.1
- Disable IPv6
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
- Ensure auditd is installed - audit
- Ensure auditd is installed - audit-libs
- Ensure auditd service is enabled and running - enabled
-
CIS Red Hat EL7 Workstation Level 1 v3.1.1
- Disable the rhnsd Daemon
- Ensure /dev/shm is configured - fstab
- Ensure /dev/shm is configured - mount
- Ensure /home partition includes the nodev option
- Ensure /tmp is configured
- Ensure /var/tmp partition includes the nodev option
-
CIS Red Hat EL7 Server Level 1 v3.1.1
- Disable Automounting
- Disable the rhnsd Daemon
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure /dev/shm is configured - fstab
- Ensure /dev/shm is configured - mount
-
CIS Red Hat 6 Workstation Level 2 v3.0.0
- Disable Automounting
- Disable IPv6
- Disable the rhnsd Daemon
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure /tmp is configured
-
CIS Red Hat 6 Workstation Level 1 v3.0.0
- Ensure address space layout randomization (ASLR) is enabled - /etc/sysctl.conf, /etc/sysctl.d/*
- Ensure address space layout randomization (ASLR) is enabled - sysctl
- Ensure AIDE is installed
- Ensure authentication required for single user mode - rescue.service
- Ensure bootloader password is set
- Ensure core dumps are restricted - limits.conf, limits.d/*
-
CIS Red Hat 6 Server Level 2 v3.0.0
- Disable IPv6
- Disable the rhnsd Daemon
- Ensure /tmp is configured
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
- Ensure auditd is installed - audit
-
CIS Red Hat 6 Server Level 1 v3.0.0
- Disable Automounting
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure address space layout randomization (ASLR) is enabled - /etc/sysctl.conf, /etc/sysctl.d/*
- Ensure address space layout randomization (ASLR) is enabled - sysctl
- Ensure AIDE is installed
-
CIS PostgreSQL 9.6 OS v1.0.0
- Ensure excessive administrative privileges are revoked
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - fips_enabled
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - openssl version
- Ensure Installation of Binary Packages
- Ensure Installation of Community Packages
- Ensure login via 'host' TCP/IP Socket is configured correctly
-
CIS PostgreSQL 9.5 OS v1.1.0
- Ensure 'Attack Vectors' Runtime Parameters are Configured
- Ensure Data Cluster Initialized Successfully
- Ensure excessive administrative privileges are revoked
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - fips_enabled
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - openssl version
- Ensure Installation of Binary Packages
-
CIS PostgreSQL 14 OS v1.0.0
- CIS_PostgreSQL_14_v1.0.0_L1_OS_Linux.audit from CIS PostgreSQL 14 Benchmark v1.0.0
- Ensure base backups are configured and functional
- Ensure Data Cluster Initialized Successfully
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - fips_enabled
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - openssl version
- Ensure login via 'host' TCP/IP Socket is configured correctly - host TCP/IP Socket is configured correctly
-
CIS PostgreSQL 13 OS v1.0.0
- CIS_PostgreSQL_13_v1.0.0_L1_OS_Linux.audit from CIS PostgreSQL 13 Benchmark v1.0.0
- Ensure Data Cluster Initialized Successfully
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - fips_enabled
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - openssl version
- Ensure login via 'host' TCP/IP Socket is configured correctly
- Ensure login via 'local' UNIX Domain Socket is configured correctly
-
CIS PostgreSQL 12 OS v1.0.0
- CIS_PostgreSQL_12_v1.0.0_L1_OS_Linux.audit from CIS PostgreSQL 12 Benchmark v1.0.0
- Ensure Data Cluster Initialized Successfully
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - fips_enabled
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - openssl version
- Ensure Installation of Binary Packages
- Ensure Installation of Community Packages
-
CIS PostgreSQL 11 OS v1.0.0
- Ensure Data Cluster Initialized Successfully
- Ensure excessive function privileges are revoked
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - fips_enabled
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - openssl version
- Ensure Installation of Binary Packages
- Ensure Installation of Community Packages
-
CIS PostgreSQL 10 OS v1.0.0
- Ensure Data Cluster Initialized Successfully
- Ensure excessive function privileges are revoked
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - fips_enabled
- Ensure FIPS 140-2 OpenSSL Cryptography Is Used - openssl version
- Ensure Installation of Binary Packages
- Ensure Installation of Community Packages
-
CIS Palo Alto Firewall 9 Benchmark v1.0.0 Level 1
- Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
- Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals
- Ensure 'Enable Log on High DP Load' is enabled
- Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts
- Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time
- Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring - Link Monitoring Failure Condition
-
CIS Palo Alto Firewall 9 Benchmark Level 2 v1.0.0
- Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals
- Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
- Ensure that a Zone Protection Profile with tuned Flood Protection settings enabled for all flood types is attached to all untrusted zones
- Ensure that IP addresses are mapped to usernames - User ID Agents
- Ensure that IP addresses are mapped to usernames - Zones
- Ensure that the Certificate Securing Remote Access VPNs is Valid - Certificates
-
CIS Palo Alto Firewall 8 Benchmark Level 1 v1.0.0
- Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
- Ensure 'Applications and Threats Update Schedule' is set to download and install updates at daily or shorter intervals
- Ensure 'Enable Log on High DP Load' is enabled
- Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts
- Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time
- Ensure 'High Availability' requires Link Monitoring and/or Path Monitoring
-
CIS Palo Alto Firewall 8 Benchmark Level 2 v1.0.0
- CIS_Palo_Alto_Firewall_8_Benchmark_L2_v1.0.0.audit from CIS Palo Alto Firewall 8 Benchmark v1.0.0
- Ensure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone
- Ensure that a Zone Prot Profile with tuned Flood Protection settings enabled
- Ensure that IP addresses are mapped to usernames - User ID Agents
- Ensure that IP addresses are mapped to usernames - Zones
- Ensure that the certificate securing Remote Access VPNs is valid - Certificates
-
CIS Palo Alto Firewall 7 Benchmark Level 2 v1.0.0
- Ensure 'Security Policy' denying any/all traffic exists at the bottom of the security policies ruleset
- Ensure that a Zone Protection Profile with Flood Protection settings enabled for all flood types is attached to all untrusted zones
- Ensure that IP addresses are mapped to usernames - User ID Agents
- Ensure that IP addresses are mapped to usernames - Zones
- Ensure that the certificate securing Remote Access VPNs is valid - Certificates
- Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Gateways
-
CIS Palo Alto Firewall 7 Benchmark Level 1 v1.0.0
- Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
- Ensure 'Applications and Threats Update Schedule' is set to download and install updates daily
- Ensure 'Block Username Inclusion' is enabled
- Ensure 'Enable Log on High DP Load' is enabled
- Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts
- Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time
-
CIS Palo Alto Firewall 6 Benchmark Level 2 v1.0.0
- Ensure 'Security Policy' denying any/all traffic exists at the bottom of the security policies ruleset
- Ensure that a Zone Protection Profile with Flood Protection settings enabled for all flood types is attached to all untrusted zones
- Ensure that IP addresses are mapped to usernames - User ID Agents
- Ensure that IP addresses are mapped to usernames - Zones
- Ensure that the certificate securing Remote Access VPNs is valid - Certificates
- Ensure that the certificate securing Remote Access VPNs is valid - GlobalProtect Gateways
-
CIS Palo Alto Firewall 6 Benchmark Level 1 v1.0.0
- Ensure 'Antivirus Update Schedule' is set to download and install updates hourly
- Ensure 'Applications and Threats Update Schedule' is set to download and install updates daily
- Ensure 'Block Username Inclusion' is enabled
- Ensure 'Enable Log on High DP Load' is enabled
- Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed Attempts
- Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout Time
-
CIS Oracle Solaris 11.4 Level 2 v1.0.0
-
CIS Oracle Solaris 11.4 Level 1 v1.0.0
- Configure sendmail Service for Local-Only Mode
- Configure TCP Wrappers - hosts.allow
- Configure TCP Wrappers - hosts.deny
- Configure TCP Wrappers - inetadm
- Configure TCP Wrappers - rpc/bind
- Disable Apache Service
-
CIS Oracle Server 19c Linux v1.0.0
-
CIS Oracle Server 19c Windows v1.0.0
-
CIS Oracle Server 18c Windows v1.0.0
-
CIS Oracle Server 18c Linux v1.0.0
-
CIS Oracle Server 12c Windows v3.0.0
-
CIS Oracle Server 12c Linux v3.0.0
-
CIS Oracle Server 11g R2 Windows v2.2.0
-
CIS Oracle Server 11g R2 Unix v2.2.0
-
CIS Oracle Linux 8 Workstation Level 2 v1.0.1
- Disable Automounting
- Disable IPv6
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
-
CIS Oracle Linux 8 Workstation Level 1 v1.0.1
- Ensure /tmp is configured - config check
- Ensure /tmp is configured - mount check
- Ensure address space layout randomization (ASLR) is enabled - sysctl
- Ensure address space layout randomization (ASLR) is enabled - sysctl.conf sysctl.d
- Ensure AIDE is installed
- Ensure authentication required for single user mode - emergency.service
-
CIS Oracle Linux 8 Server Level 2 v1.0.1
- Disable IPv6
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
- Ensure auditd is installed - audit
- Ensure auditd is installed - audit-libs
- Ensure auditd service is enabled
-
CIS Oracle Linux 8 Server Level 1 v1.0.1
- Disable Automounting
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure /tmp is configured - config check
- Ensure /tmp is configured - mount check
- Ensure address space layout randomization (ASLR) is enabled - sysctl
-
CIS Oracle Linux 7 Workstation Level 2 v3.1.1
- Disable Automounting
- Disable IPv6
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
-
CIS Oracle Linux 7 Workstation Level 1 v3.1.1
- Ensure /dev/shm is configured - fstab
- Ensure /dev/shm is configured - mount
- Ensure /home partition includes the nodev option
- Ensure /tmp is configured
- Ensure /var/tmp partition includes the nodev option
- Ensure /var/tmp partition includes the noexec option
-
CIS Oracle Linux 7 Server Level 2 v3.1.1
- Disable IPv6
- Ensure audit log storage size is configured
- Ensure audit logs are not automatically deleted
- Ensure auditd is installed - audit
- Ensure auditd is installed - audit-libs
- Ensure auditd service is enabled and running - enabled
-
CIS Oracle Linux 7 Server Level 1 v3.1.1
- Disable Automounting
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure /dev/shm is configured - fstab
- Ensure /dev/shm is configured - mount
- Ensure /home partition includes the nodev option
-
CIS Oracle Linux 6 Workstation Level 2 v2.0.0
- Disable Automounting
- Disable IPv6
- Disable USB Storage - lsmod
- Disable USB Storage - modprobe
- Ensure /tmp is configured
- Ensure audit log storage size is configured
-
CIS Oracle Linux 6 Workstation Level 1 v2.0.0