Detections
Analytics

800-53|CA-9

Title

INTERNAL SYSTEM CONNECTIONS

Description

The organization:

Supplemental

This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration.

Reference Item Details

Related: AC-18,AC-19,AC-3,AC-4,AU-12,AU-2,CA-7,CM-2,IA-3,SC-7,SI-4

Category: SECURITY ASSESSMENT AND AUTHORIZATION

Family: SECURITY ASSESSMENT AND AUTHORIZATION

Priority: P2

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.3.2 Disable TCP and UDP small serversCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.5.3 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.6.3 Create network segmentation using Network PoliciesUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L2
2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'UnixCIS Oracle Server 19c Linux v1.2.0
2.1.1 Ensure 'extproc' Is Not Present in 'listener.ora'WindowsCIS Oracle Server 19c Windows v1.2.0
2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora'UnixCIS Oracle Server 18c Linux v1.1.0
2.1.2 Ensure 'extproc' Is Not Present in 'listener.ora'WindowsCIS Oracle Server 18c Windows v1.1.0
2.1.4 Ensure rsync service is not enabledUnixCIS Google Container-Optimized OS v1.2.0 L1 Server
2.2 Disable Local-only Graphical Login EnvironmentUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.2.5 Ensure 'REMOTE_LISTENER' Is EmptyOracleDBCIS Oracle Server 19c DB Traditional Auditing v1.2.0
2.2.5 Ensure 'REMOTE_LISTENER' Is EmptyOracleDBCIS Oracle Server 19c DB Unified Auditing v1.2.0
2.3 Configure sendmail Service for Local-Only ModeUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.4 Disable RPC Encryption KeyUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'MS_SQLDBCIS Microsoft SQL Server 2019 v1.4.0 L1 AWS RDS
2.4 Ensure 'Database Mail XPs' Server Configuration Option is set to '0'MS_SQLDBCIS Microsoft SQL Server 2019 v1.4.0 L1 Database Engine
2.5 Disable Generic Security Services (GSS)UnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.6 Disable Apache ServiceUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.7 Disable Kerberos TGT Expiration WarningUnixCIS Oracle Solaris 11.4 L1 v1.1.0
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2016 Database L1 AWS RDS v1.4.0
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2022 Database L1 DB v1.1.0
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'MS_SQLDBCIS Microsoft SQL Server 2019 v1.4.0 L1 Database Engine
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2017 Database L1 AWS RDS v1.3.0
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2017 Database L1 DB v1.3.0
2.7 Ensure 'Remote Admin Connections' Server Configuration Option is set to '0'MS_SQLDBCIS SQL Server 2016 Database L1 DB v1.4.0
2.12 Disable Telnet ServiceUnixCIS Oracle Solaris 11.4 L1 v1.1.0
3.1 Disable Response to Broadcast ICMPv4 Echo RequestUnixCIS Oracle Solaris 11.4 L1 v1.1.0
3.2 Disable Response to ICMP Broadcast Netmask RequestsUnixCIS Oracle Solaris 11.4 L1 v1.1.0
3.2 Disable the Shutdown portUnixCIS Apache Tomcat 10 L2 v1.1.0 Middleware
3.2 Disable the Shutdown portUnixCIS Apache Tomcat 10.1 v1.0.0 L2
3.2 Disable the Shutdown portUnixCIS Apache Tomcat 10 L2 v1.1.0
3.2 Disable the Shutdown portUnixCIS Apache Tomcat 9 L2 v1.2.0 Middleware
3.2 Disable the Shutdown portUnixCIS Apache Tomcat 9 L2 v1.2.0
3.3.1.1 Ensure IPv6 default deny firewall policyUnixCIS Google Container-Optimized OS v1.2.0 L2 Server
3.3.1.2 Ensure IPv6 loopback traffic is configuredUnixCIS Google Container-Optimized OS v1.2.0 L2 Server
3.3.1.3 Ensure IPv6 outbound and established connections are configuredUnixCIS Google Container-Optimized OS v1.2.0 L2 Server
3.3.1.4 Ensure IPv6 firewall rules exist for all open portsUnixCIS Google Container-Optimized OS v1.2.0 L2 Server
3.3.2.1 Ensure default deny firewall policyUnixCIS Google Container-Optimized OS v1.2.0 L2 Server
3.10 Disable Response to Multicast Echo RequestUnixCIS Oracle Solaris 11.4 L1 v1.1.0
3.11 Ignore ICMP Redirect MessagesUnixCIS Oracle Solaris 11.4 L1 v1.1.0
3.12 Set Strict MultihomingUnixCIS Oracle Solaris 11.4 L1 v1.1.0
3.13 Disable ICMP Redirect MessagesUnixCIS Oracle Solaris 11.4 L1 v1.1.0
3.14 Disable TCP Reverse IP Source RoutingUnixCIS Oracle Solaris 11.4 L1 v1.1.0
3.15 Set Maximum Number of Half-open TCP ConnectionsUnixCIS Oracle Solaris 11.4 L1 v1.1.0
3.16 Set Maximum Number of Incoming ConnectionsUnixCIS Oracle Solaris 11.4 L1 v1.1.0
10.1 Ensure Unused Features are RemovedUnixCIS IBM WebSphere Liberty v1.0.0 L1
10.2 SN.2 Remove Support for Internet Services (inetd)UnixCIS Oracle Solaris 11.4 L2 v1.1.0
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.31 Ensure 'Host-based firewall is installed and enabled'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 STIG MS