| 2.1 Protection Policy for the CPS Control Engine | Tenable ZTE ROSNG | ZTE_ROSNG | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.2.8 Ensure nftables default deny firewall policy | CIS Ubuntu Linux 20.04 LTS Server L1 v2.0.1 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.2.9 Ensure nftables default deny firewall policy | CIS CentOS Linux 8 Workstation L1 v2.0.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.3.2.1 Ensure iptables default deny firewall policy | CIS Ubuntu Linux 20.04 LTS Server L1 v2.0.1 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.3.2.1 Ensure iptables default deny firewall policy | CIS Debian 10 Workstation L1 v2.0.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.3.3.1 Ensure ip6tables default deny firewall policy | CIS Ubuntu Linux 20.04 LTS Workstation L1 v2.0.1 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.3.3.1 Ensure ip6tables default deny firewall policy | CIS Debian 10 Workstation L1 v2.0.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4.2.1 Ensure iptables default deny firewall policy | CIS Debian Linux 12 v1.1.0 L1 Server | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4.3.1 Ensure ip6tables default deny firewall policy | CIS Ubuntu Linux 24.04 LTS v1.0.0 L1 Server | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' | CIS Microsoft Windows 10 Enterprise v4.0.0 BL | Windows | MEDIA PROTECTION |
| DG0005-ORACLE11 - Only necessary privileges to the host system should be granted to DBA OS accounts - 'DBA user group members' | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | ACCESS CONTROL |
| DG0011-ORACLE11 - Configuration management procedures should be defined and implemented for database software modifications. | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | |
| DG0013-ORACLE11 - Database backup procedures should be defined, documented and implemented. | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | |
| DG0019-ORACLE11 - Application software should be owned by a Software Application account. | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | CONFIGURATION MANAGEMENT |
| DG0025-ORACLE11 - DBMS cryptography must be NIST FIPS 140-2 validated. | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | |
| DG0053-ORACLE11 - A single database connection configuration file should not be used to configure all database clients. | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | |
| DG0063-ORACLE11 - DBMS privileges to restore database data or other DBMS configurations, features, or objects should be restricted to authorized DBMS accounts. | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | |
| DG0064-ORACLE11 - DBMS backup and restoration files should be protected from unauthorized access. | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | |
| DG0086-ORACLE11 - DBA roles should be periodically monitored to detect assignment of unauthorized or excess privileges. | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | |
| DG0093-ORACLE11 - Remote adminstrative connections to the database should be encrypted - 'Remote admin connections are encrypted' | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | ACCESS CONTROL |
| DG0095-ORACLE11 - Audit trail data should be reviewed daily or more frequently. | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | |
| DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - '$ORACLE_HOME/bin/extproc does not exist' | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | CONFIGURATION MANAGEMENT |
| DG0099-ORACLE11 - Access to external DBMS executables should be disabled or restricted - no PROGRAMS = EXTPROC' - listener.ora | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | CONFIGURATION MANAGEMENT |
| DG0101-ORACLE11 - OS accounts used to execute external procedures should be assigned minimum privileges. | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | |
| DG0103-ORACLE11 - Network access to the DBMS must be restricted to authorized personnel - '$ORACLE_HOME/network/admin/sqlnet.ora tcp.invited_nodes is configured' | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| DG0118-ORACLE11 - The IAM should review changes to DBA role assignments. | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | |
| DG0140-ORACLE11 - Access to DBMS security data should be audited. | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | |
| DG0152-ORACLE11 - DBMS network communications should comply with PPS usage restrictions - PORT = 1521, 1575, 1830, 2481, 2482, 2483 or 2484' - cman.ora | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | CONFIGURATION MANAGEMENT |
| DG0152-ORACLE11 - DBMS network communications should comply with PPS usage restrictions - PORT = 1521, 1575, 1830, 2481, 2482, 2483 or 2484' - listener.ora | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | CONFIGURATION MANAGEMENT |
| DG0157-ORACLE11 - Remote DBMS administration should be documented and authorized or disabled. | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | |
| DG0159-ORACLE11 - Remote administrative access to the database should be monitored by the IAO or IAM. | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | |
| DG0159-ORACLE11 - Remote administrative access to the database should be monitored by the IAO or IAM. | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | |
| DG0161-ORACLE11 - An automated tool that monitors audit data and immediately reports suspicious activity should be employed for the DBMS. | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | |
| DG0171-ORACLE11 - The DBMS should not have a connection defined to access or be accessed by a DBMS at a different classification level. | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | |
| DG0187-ORACLE11 - DBMS software libraries should be periodically backed up. | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | |
| DG0191-ORACLE11 - Credentials used to access remote databases should be protected by encryption and restricted to authorized users - 'Oracle Wallet file permissions are correct' | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | CONFIGURATION MANAGEMENT |
| DG0195-ORACLE11 - DBMS production application and data directories should be protected from developers on shared production/development DBMS host systems. | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | ACCESS CONTROL |
| DO0145-ORACLE11 - OS DBA group membership should be restricted to authorized accounts. | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | ACCESS CONTROL |
| DO0286-ORACLE11 - The Oracle INBOUND_CONNECT_TIMEOUT and SQLNET.INBOUND_CONNECT_TIMEOUT parameters should be set to a value greater than 0 - '$ORACLE_HOME/network/admin/listener.ora INBOUND_CONNECT_TIMEOUT_{listener} = 0' | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | ACCESS CONTROL |
| DO0287-ORACLE11 - The Oracle SQLNET.EXPIRE_TIME parameter should be set to a value greater than 0 - '%ORACLE_HOME%\NETWORK\ADMIN\SQLNET.ORA SQLNET.EXPIRE_TIME > 0' | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | ACCESS CONTROL |
| DO3630-ORACLE11 - The Oracle Listener should be configured to require administration authentication - 'No listeners are running' | DISA STIG Oracle 11 Installation v9r1 Linux | Unix | IDENTIFICATION AND AUTHENTICATION |
| DO5037-ORACLE11 - Oracle SQLNet and listener log files should not be accessible to unauthorized users - '%ORACLE_HOME%\NETWORK\ADMIN\listener.ora LOG_FILE_{listener} is configured' | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | AUDIT AND ACCOUNTABILITY |
| DO5037-ORACLE11 - Oracle SQLNet and listener log files should not be accessible to unauthorized users - '%ORACLE_HOME%\Network\Log\listener.log file permissions are correct' | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| DO5037-ORACLE11 - Oracle SQLNet and listener log files should not be accessible to unauthorized users - 'listener.ora TRACE_DIRECTORY_{listener} is configured' | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | AUDIT AND ACCOUNTABILITY |
| DO6751-ORACLE11 - The SQLNet SQLNET.ALLOWED_LOGON_VERSION parameter must be set to a value of 11 or higher - '%ORACLE_HOME%\NETWORK\ADMIN\SQLNET.ORA SQLNET.ALLOWED_LOGON_VERSION > 11' | DISA STIG Oracle 11 Installation v9r1 Windows | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| DO6753-ORACLE11 - Oracle Application Express or Oracle HTML DB should not be installed on a production database. | DISA STIG Oracle 11 Installation v9r1 Database | OracleDB | CONFIGURATION MANAGEMENT |
| JUEX-RT-000450 - The Juniper PE router must be configured with Unicast Reverse Path Forwarding (uRPF) loose mode, or a firewall filter, enabled on all CE-facing interfaces. | DISA Juniper EX Series Router v2r1 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
| MSFT-11-001100 - Microsoft Android 11 allow list must be configured to not include applications with the following characteristics: | AirWatch - DISA Microsoft Android 11 COBO v1r2 | MDM | CONFIGURATION MANAGEMENT |
| WBSP-AS-000640 - The WebSphere Application Server must alert the SA and ISSO, in the event of a log processing failure - notification | DISA IBM WebSphere Traditional 9 STIG v1r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000640 - The WebSphere Application Server must alert the SA and ISSO, in the event of a log processing failure - notification | DISA IBM WebSphere Traditional 9 STIG v1r1 | Unix | AUDIT AND ACCOUNTABILITY |
