| APPL-14-002003 - The macOS system must disable Network File System service. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | ACCESS CONTROL |
| APPL-14-002008 - The macOS system must disable the built-in web server. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | ACCESS CONTROL |
| APPL-14-002020 - The macOS system must disable Siri. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| APPL-14-002037 - The macOS system must disable iCloud Storage Setup during Setup Assistant. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| APPL-14-002052 - The macOS system must disable the System Settings pane for Wallet and Apple Pay. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| APPL-14-002090 - The macOS system must disable TouchID for unlocking the device. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | ACCESS CONTROL |
| APPL-14-002100 - The macOS system must disable Media Sharing. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | ACCESS CONTROL |
| APPL-14-002140 - The macOS system must disable content caching service. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| APPL-14-002190 - The macOS system must disable password autofill. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| APPL-14-002200 - The macOS system must disable personalized advertising. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| APPL-14-002210 - The macOS system must disable sending Siri and Dictation information to Apple. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| APPL-14-002240 - The macOS system must disable Printer Sharing. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| APPL-14-003012 - The macOS system must disable password hints. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | IDENTIFICATION AND AUTHENTICATION |
| APPL-14-005050 - The macOS system must enable the application firewall. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| APPL-14-005110 - The macOS system must enforce enrollment in mobile device management. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| APPL-14-005130 - The macOS system must enforce installation of XProtect Remediator and Gatekeeper updates automatically. | DISA Apple macOS 14 Sonoma STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| ARST-L2-000060 - The Arista MLS layer 2 switch must have BPDU Guard enabled on all switch ports connecting to access layer switches and hosts. | DISA STIG Arista MLS EOS 4.2x L2S v2r1 | Arista | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARST-L2-000090 - The Arista MLS layer 2 switch must have DHCP snooping for all user VLANs to validate DHCP messages from untrusted sources. | DISA STIG Arista MLS EOS 4.2x L2S v2r1 | Arista | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARST-L2-000110 - The Arista MLS layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs. | DISA STIG Arista MLS EOS 4.2x L2S v2r1 | Arista | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARST-L2-000210 - The Arista MLS layer 2 switch must have all user-facing or untrusted ports configured as access switch ports. | DISA STIG Arista MLS EOS 4.2x L2S v2r1 | Arista | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARST-ND-000840 - The Arista network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | DISA STIG Arista MLS EOS 4.2x NDM v2r1 | Arista | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARST-RT-000040 - The Arista BGP router must be configured to reject inbound route advertisements from a customer edge (CE) router for prefixes that are not allocated to that customer. | DISA STIG Arista MLS EOS 4.2x Router v2r1 | Arista | ACCESS CONTROL |
| ARST-RT-000120 - The Arista multicast router must be configured to disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing. | DISA STIG Arista MLS EOS 4.2x Router v2r1 | Arista | ACCESS CONTROL |
| ARST-RT-000480 - The PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm. | DISA STIG Arista MLS EOS 4.2x Router v2r1 | Arista | IDENTIFICATION AND AUTHENTICATION |
| ARST-RT-000510 - The Arista router must be configured to have gratuitous ARP disabled on all external interfaces. | DISA STIG Arista MLS EOS 4.2x Router v2r1 | Arista | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARST-RT-000540 - The Arista router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces. | DISA STIG Arista MLS EOS 4.2x Router v2r1 | Arista | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARST-RT-000720 - The MPLS router must be configured to have TTL propagation disabled. | DISA STIG Arista MLS EOS 4.2x Router v2r1 | Arista | CONFIGURATION MANAGEMENT |
| BIND-9X-001020 - The BIND 9.x secondary name server must limit the number of zones requested from a single primary name server. | DISA BIND 9.x STIG v3r1 | Unix | ACCESS CONTROL |
| BIND-9X-001060 - The print-time variable for the configuration of BIND 9.x server logs must be configured to establish when (date and time) the events occurred. | DISA BIND 9.x STIG v3r1 | Unix | AUDIT AND ACCOUNTABILITY |
| BIND-9X-001250 - A BIND 9.x implementation operating in a split DNS configuration must be approved by the organization's authorizing official (AO). | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| BIND-9X-001260 - On the BIND 9.x server the IP address for hidden primary authoritative name servers must not appear in the name servers set in the zone database. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| BIND-9X-001360 - The BIND 9.x server implementation must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. government. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| BIND-9X-001390 - The primary servers in a BIND 9.x implementation must notify authorized secondary name servers when zone files are updated. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| BIND-9X-001410 - On a BIND 9.x server, all root name servers listed in the local root zone file hosted on a BIND 9.x authoritative name server must be empty or removed. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| BIND-9X-001430 - The BIND 9.x server implementation must implement internal/external role separation. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| BIND-9X-001490 - On the BIND 9.x server, the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| BIND-9X-001530 - The platform on which the name server software is hosted must only run processes and services needed to support the BIND 9.x implementation. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| BIND-9X-001570 - On a BIND 9.x server, all authoritative name servers for a zone must have the same version of zone information. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| BIND-9X-001700 - The BIND 9.x server implementation must use separate TSIG key-pairs when securing server-to-server transactions. | DISA BIND 9.x STIG v3r1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| BIND-9X-001780 - The BIND 9.x server validity period for the RRSIGs covering the DS RR for zones delegated children must be no less than two days and no more than one week. | DISA BIND 9.x STIG v3r1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| BIND-9X-002460 - The BIND 9.x server implementation must have fetches-per-server enabled. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| BIND-9X-002470 - The host running a BIND 9.x implementation must have DNS cookies enabled. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| UBTU-20-010003 - The Ubuntu operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting local access to the system via a graphical user logon. | DISA Canonical Ubuntu 20.04 LTS STIG v2r4 | Unix | ACCESS CONTROL |
| UBTU-20-010016 - The Ubuntu operating system default filesystem permissions must be defined in such a way that all authenticated users can read and modify only their own files. | DISA Canonical Ubuntu 20.04 LTS STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| UBTU-20-010036 - The Ubuntu operating system must immediately terminate all network connections associated with SSH traffic after a period of inactivity. | DISA Canonical Ubuntu 20.04 LTS STIG v2r4 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| UBTU-20-010057 - The Ubuntu operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used. | DISA Canonical Ubuntu 20.04 LTS STIG v2r4 | Unix | CONFIGURATION MANAGEMENT |
| UBTU-20-010137 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chfn command. | DISA Canonical Ubuntu 20.04 LTS STIG v2r4 | Unix | AUDIT AND ACCOUNTABILITY |
| UBTU-20-010162 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the sudoedit command. | DISA Canonical Ubuntu 20.04 LTS STIG v2r4 | Unix | AUDIT AND ACCOUNTABILITY |
| UBTU-20-010175 - The Ubuntu operating system must generate audit records for successful/unsuccessful uses of the chage command. | DISA Canonical Ubuntu 20.04 LTS STIG v2r4 | Unix | AUDIT AND ACCOUNTABILITY |
| UBTU-20-010267 - The Ubuntu operating system must generate audit records for any successful/unsuccessful use of unlink, unlinkat, rename, renameat, and rmdir system calls. | DISA Canonical Ubuntu 20.04 LTS STIG v2r4 | Unix | AUDIT AND ACCOUNTABILITY |
