| 1.1.22 Ensure nosuid option set on removable media partitions | CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.6.1.3 Ensure SELinux policy is configured - sestatus | CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.4.4 Ensure default user umask is 027 or more restrictive - /etc/profile.d/*.sh | CIS Debian 8 Workstation L1 v2.0.2 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.10 Ensure no world writable files exist | CIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.10 Ensure no world writable files exist | CIS Debian 8 Server L1 v2.0.2 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| APPL-14-005070 - The macOS system must enable Authenticated Root. | DISA Apple macOS 14 (Sonoma) STIG v2r1 | Unix | ACCESS CONTROL |
| Big Sur - Disable Bluetooth Sharing | NIST macOS Big Sur v1.4.0 - CNSSI 1253 | Unix | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| CNTR-K8-000300 - The Kubernetes Scheduler must have secure binding. | DISA STIG Kubernetes v2r1 | Unix | ACCESS CONTROL |
| CNTR-K8-000310 - The Kubernetes Controller Manager must have secure binding. | DISA STIG Kubernetes v2r1 | Unix | ACCESS CONTROL |
| CNTR-K8-000320 - The Kubernetes API server must have the insecure port flag disabled. | DISA STIG Kubernetes v2r1 | Unix | ACCESS CONTROL |
| CNTR-K8-000350 - The Kubernetes API server must have the secure port set. | DISA STIG Kubernetes v2r1 | Unix | ACCESS CONTROL |
| CNTR-K8-000370 - The Kubernetes Kubelet must have anonymous authentication disabled. | DISA STIG Kubernetes v2r1 | Unix | ACCESS CONTROL |
| CNTR-K8-000460 - Kubernetes DynamicKubeletConfig must not be enabled - kubelet | DISA STIG Kubernetes v2r1 | Unix | ACCESS CONTROL |
| CNTR-K8-000470 - The Kubernetes API server must have Alpha APIs disabled. | DISA STIG Kubernetes v2r1 | Unix | ACCESS CONTROL |
| DB2X-00-003200 - Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to DB2, etc.) must be owned by database/DBMS principals authorized for ownership - NICKNAMES | DISA STIG IBM DB2 v10.5 LUW v1r4 Database | IBM_DB2DB | ACCESS CONTROL |
| DB2X-00-003200 - Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to DB2, etc.) must be owned by database/DBMS principals authorized for ownership - ROUTINES | DISA STIG IBM DB2 v10.5 LUW v1r4 Database | IBM_DB2DB | ACCESS CONTROL |
| DB2X-00-003200 - Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to DB2, etc.) must be owned by database/DBMS principals authorized for ownership - SEQUENCES | DISA STIG IBM DB2 v10.5 LUW v1r4 Database | IBM_DB2DB | ACCESS CONTROL |
| DB2X-00-004800 - DB2 must separate user functionality (including user interface services) from database management functionality - SYSADM_GROUP | DISA STIG IBM DB2 v10.5 LUW v1r4 Database | IBM_DB2DB | ACCESS CONTROL |
| DB2X-00-007000 - DB2 must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures - TBSPACEAUTH | DISA STIG IBM DB2 v10.5 LUW v1r4 Database | IBM_DB2DB | ACCESS CONTROL |
| EP11-00-000700 - The EDB Postgres Advanced Server must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals. | EDB PostgreSQL Advanced Server v11 Windows OS Audit v1r1 | Windows | ACCESS CONTROL |
| EX19-MB-000020 Exchange must have authenticated access set to integrated Windows authentication only. | DISA Microsoft Exchange 2019 Mailbox Server STIG v2r1 | Windows | ACCESS CONTROL |
| GEN001210 M6 - System command files must not have extended ACLs - '/usr/bin' | DISA STIG Apple Mac OSX 10.6 v1r3 | Unix | ACCESS CONTROL |
| GEN001310 M6 - All library files must not have extended ACLs - '/System/Library/Frameworks' | DISA STIG Apple Mac OSX 10.6 v1r3 | Unix | ACCESS CONTROL |
| GEN001390 M6 - The /etc/passwd file must not have an extended ACL | DISA STIG Apple Mac OSX 10.6 v1r3 | Unix | ACCESS CONTROL |
| GEN001570 M6 - All files and directories contained in user home directories must not have extended ACLs | DISA STIG Apple Mac OSX 10.6 v1r3 | Unix | ACCESS CONTROL |
| GEN001590 M6 - Launch control scripts must not have extended ACLs - '/System/Library/LaunchAgents' | DISA STIG Apple Mac OSX 10.6 v1r3 | Unix | ACCESS CONTROL |
| GEN003090 M6 - Crontab files must not have extended ACLs - '/usr/bin/crontab' | DISA STIG Apple Mac OSX 10.6 v1r3 | Unix | ACCESS CONTROL |
| GEN003110 M6 - Cron and crontab directories must not have extended ACLs - '/usr/lib/cron' | DISA STIG Apple Mac OSX 10.6 v1r3 | Unix | ACCESS CONTROL |
| GEN003210 M6 - The cron.deny file must not have an extended ACL - '/private/var/at/cron.deny' | DISA STIG Apple Mac OSX 10.6 v1r3 | Unix | ACCESS CONTROL |
| GEN003440 M6 - 'At' jobs must not set the umask to a value less restrictive than 077 - '/var/at/spool/*' | DISA STIG Apple Mac OSX 10.6 v1r3 | Unix | ACCESS CONTROL |
| GEN005395 M6 - The /etc/syslog.conf file must not have an extended ACL - '/etc/syslog.conf' | DISA STIG Apple Mac OSX 10.6 v1r3 | Unix | ACCESS CONTROL |
| GEN008120 M6 - The /etc/openldap/ldap.conf (or equivalent) file must not have an extended ACL - '/etc/openldap/ldap.conf' | DISA STIG Apple Mac OSX 10.6 v1r3 | Unix | ACCESS CONTROL |
| JUEX-NM-000060 - The Juniper EX switch must be configured to assign appropriate user roles or access levels to authenticated users. | DISA Juniper EX Series Network Device Management v2r1 | Juniper | ACCESS CONTROL |
| MADB-10-000300 - MariaDB must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | DISA MariaDB Enterprise 10.x v2r1 DB | MySQLDB | ACCESS CONTROL |
| MYS8-00-005400 - The MySQL Database Server 8.0 must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. | DISA Oracle MySQL 8.0 v2r1 DB | MySQLDB | ACCESS CONTROL |
| PPS9-00-004200 - The EDB Postgres Advanced Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | EDB PostgreSQL Advanced Server OS Linux Audit v1r7 | Unix | ACCESS CONTROL |
| RHEL-07-010483 - Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes. | DISA Red Hat Enterprise Linux 7 STIG v3r15 | Unix | ACCESS CONTROL |
| RHEL-07-010492 - Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. | DISA Red Hat Enterprise Linux 7 STIG v3r15 | Unix | ACCESS CONTROL |
| RHEL-08-010140 - RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. | DISA Red Hat Enterprise Linux 8 STIG v1r14 | Unix | ACCESS CONTROL |
| RHEL-08-010141 - RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance. | DISA Red Hat Enterprise Linux 8 STIG v1r14 | Unix | ACCESS CONTROL |
| RHEL-08-010149 - RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes. | DISA Red Hat Enterprise Linux 8 STIG v1r14 | Unix | ACCESS CONTROL |
| RHEL-09-212020 - RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes. | DISA Red Hat Enterprise Linux 9 STIG v2r1 | Unix | ACCESS CONTROL |
| SLES-15-010190 - SUSE operating systems with a basic input/output system (BIOS) must require authentication upon booting into single-user and maintenance modes. | DISA SLES 15 STIG v2r1 | Unix | ACCESS CONTROL |
| UBTU-20-010009 - Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes. | DISA STIG Ubuntu 20.04 LTS v1r12 | Unix | ACCESS CONTROL |
| WBSP-AS-000212 - The WebSphere Application Server Java 2 security must not be bypassed. | DISA IBM WebSphere Traditional 9 STIG v1r1 | Unix | ACCESS CONTROL |
| WN11-UR-000080 - The 'Deny log on as a service' user right on Windows 11 domain-joined workstations must be configured to prevent access from highly privileged domain accounts. | DISA Windows 11 STIG v2r1 | Windows | ACCESS CONTROL |
| WN22-DC-000340 - Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers. | DISA Windows Server 2022 STIG v2r1 | Windows | ACCESS CONTROL |
| WN22-DC-000360 - Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers. | DISA Windows Server 2022 STIG v2r1 | Windows | ACCESS CONTROL |
| WN22-DC-000390 - Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers. | DISA Windows Server 2022 STIG v2r1 | Windows | ACCESS CONTROL |
| WN22-MS-000090 - Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | DISA Windows Server 2022 STIG v2r1 | Windows | ACCESS CONTROL |
