STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-2 — Identification and Authentication (Organizational Users)

CCI-000764

Definition

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

Parent Control

IA-2Identification and Authentication (Organizational Users)Identification and Authentication

Linked STIG Checks (200)

V-255596CAT IIThe A10 Networks ADC must not have any shared accounts (other than the emergency administration account).A10 Networks ADC NDM Security Technical Implementation Guide V-255597CAT IThe A10 Networks ADC must not use the default admin account.A10 Networks ADC NDM Security Technical Implementation Guide V-255623CAT IThe A10 Networks ADC must not use the default enable password.A10 Networks ADC NDM Security Technical Implementation Guide V-204660CAT IAAA Services must be configured to uniquely identify and authenticate organizational users.AAA Services Security Requirements Guide V-243484CAT IISecurity identifiers (SIDs) must be configured to use only authentication data of directly trusted external or forest trust.Active Directory Domain Security Technical Implementation Guide V-279055CAT IColdFusion must be using an enterprise solution for authentication.Adobe ColdFusion Security Technical Implementation Guide V-274159CAT IIAmazon Linux 2023 must insure all interactive users have a primary group that exists.Amazon Linux 2023 Security Technical Implementation Guide V-274160CAT IIAmazon Linux 2023 must ensure all interactive users have unique User IDs (UIDs).Amazon Linux 2023 Security Technical Implementation Guide V-268135CAT IINixOS must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).Anduril NixOS Security Technical Implementation Guide V-222962CAT IITomcat management applications must use LDAP realm authentication.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-254615CAT IIApple iOS/iPadOS 16 must implement the management setting: use SSL for Exchange ActiveSync.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-254616CAT IIApple iOS/iPadOS 16 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 16 Mail app.Apple iOS-iPadOS 16 Security Technical Implementation Guide V-257124CAT IIApple iOS/iPadOS 16 must implement the management setting: use SSL for Exchange ActiveSync.Apple iOS/iPadOS 16 BYOAD Security Technical Implementation Guide V-257125CAT IIApple iOS/iPadOS 16 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 16 Mail app.Apple iOS/iPadOS 16 BYOAD Security Technical Implementation Guide V-259783CAT IIApple iOS/iPadOS 17 must implement the management setting: use SSL for Exchange ActiveSync.Apple iOS/iPadOS 17 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-259784CAT IIApple iOS/iPadOS 17 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 17 Mail app.Apple iOS/iPadOS 17 MDFPP 3.3 BYOAD Security Technical Implementation Guide V-258348CAT IIApple iOS/iPadOS 17 must implement the management setting: use SSL for Exchange ActiveSync.Apple iOS/iPadOS 17 Security Technical Implementation Guide V-258349CAT IIApple iOS/iPadOS 17 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 17 Mail app.Apple iOS/iPadOS 17 Security Technical Implementation Guide V-268035CAT IIApple iOS/iPadOS 18 must implement the management setting: use SSL for Exchange ActiveSync.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-268036CAT IIApple iOS/iPadOS 18 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 18 Mail app.Apple iOS/iPadOS 18 Security Technical Implementation Guide V-278794CAT IIApple iOS/iPadOS 26 must implement the management setting: use SSL for Exchange ActiveSync.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-278795CAT IIApple iOS/iPadOS 26 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple iOS/iPadOS 26 Mail app.Apple iOS/iPadOS 26 Security Technical Implementation Guide V-259443CAT IIThe macOS system must disable logon to other user's active and locked sessions.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259444CAT IIThe macOS system must disable root logon.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259563CAT IIThe macOS system must configure login window to prompt for username and password.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268442CAT IIThe macOS system must disable login to other users' active and locked sessions.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268443CAT IIThe macOS system must disable root login.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268512CAT IThe macOS system must disable unattended or automatic login to the system.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268558CAT IIThe macOS system must configure the login window to prompt for username and password.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277050CAT IIThe macOS system must disable login to other users' active and locked sessions.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277051CAT IIThe macOS system must disable root login.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277121CAT IThe macOS system must disable unattended or automatic login to the system.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277168CAT IIThe macOS system must configure the login window to prompt for username and password.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-276397CAT IIApple visionOS 2 must implement the management setting: use Secure Sockets Layer (SSL) for Exchange ActiveSync.Apple visionOS 2 Security Technical Implementation Guide V-276398CAT IIApple visionOS 2 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple visionOS 2 Mail app.Apple visionOS 2 Security Technical Implementation Guide V-282806CAT IIApple visionOS 26 must implement the management setting: use SSL for Exchange ActiveSync.Apple visionOS 26 Security Technical Implementation Guide V-282807CAT IIApple visionOS 26 must implement the management setting: not allow messages in an ActiveSync Exchange account to be forwarded or moved to other accounts in the Apple visionOS 26 Mail app.Apple visionOS 26 Security Technical Implementation Guide V-204945CAT IIThe ALG providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Application Layer Gateway Security Requirements Guide V-204946CAT IIThe ALG providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.Application Layer Gateway Security Requirements Guide V-204947CAT IIThe ALG providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).Application Layer Gateway Security Requirements Guide V-274559CAT IIThe API must use an approved DOD enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Application Programming Interface (API) Security Requirements Guide V-222522CAT IThe application must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Application Security and Development Security Technical Implementation Guide V-204745CAT IIThe application server must use an approved DOD enterprise identity, credential, and access management (ICAM) solution to uniquely identify and authenticate users (or processes acting on behalf of organizational users).Application Server Security Requirements Guide V-237322CAT IThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.ArcGIS for Server 10.3 Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-79021CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) must be configured to use Windows Authentication for the database connection.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-79029CAT IIIf the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-79031CAT IIIf the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Integrated Authentication for the Exchange connection.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-79037CAT IIIf the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-79041CAT IIIf the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-79043CAT IIIf the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use NTLM authentication.BlackBerry Enterprise Mobility Server 2.x Security Technical Implementation Guide V-254715CAT IIThe BlackBerry Enterprise Mobility Server (BEMS) must be configured to use Windows Authentication for the database connection.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-254719CAT IIIf the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-254720CAT IIIf the Mail service (Push Notifications support for BlackBerry Work) is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Integrated Authentication for the Exchange connection.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-254723CAT IIIf the BlackBerry Connect service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-254725CAT IIIf the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use Windows Authentication for the database connection.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-254726CAT IIIf the BlackBerry Docs service is installed on the BlackBerry Enterprise Mobility Server (BEMS), it must be configured to use NTLM authentication.BlackBerry Enterprise Mobility Server 3.x Security Technical Implementation Guide V-224385CAT IIAll BlackBerry UEM server local accounts created during application installation and configuration must be disabled or removed.BlackBerry UEM Security Technical Implementation Guide V-237362CAT IIThe CA API Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).CA API Gateway ALG Security Technical Implementation Guide V-237363CAT IIThe CA API Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) that validate user account access authorizations and privileges.CA API Gateway ALG Security Technical Implementation Guide V-237364CAT IIThe CA API Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).CA API Gateway ALG Security Technical Implementation Guide V-251612CAT IIThe IDMS environment must require sign-on for users and restrict them to only authorized functions.CA IDMS Security Technical Implementation Guide V-219325CAT IIThe Ubuntu operating system must uniquely identify interactive users.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238205CAT IIThe Ubuntu operating system must uniquely identify interactive users.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260543CAT IIUbuntu 22.04 LTS must uniquely identify interactive users.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270720CAT IIUbuntu 24.04 LTS must uniquely identify interactive users.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-206460CAT IThe Central Log Server must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Central Log Server Security Requirements Guide V-271927CAT IThe Cisco ACI must be configured to assign appropriate user roles or access levels to authenticated users.Cisco ACI NDM Security Technical Implementation Guide V-239967CAT IIThe Cisco ASA remote access VPN server must be configured to identify and authenticate users before granting access to the network.Cisco ASA VPN Security Technical Implementation Guide V-259875CAT IIThe cloud service offering (CSO) must be configured to use DOD public key infrastructure (PKI) to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Cloud Computing Mission Owner Operating System Security Requirements Guide V-269364CAT IIGroups must have unique Group IDs (GIDs).Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269365CAT IIDuplicate User IDs (UIDs) must not exist for interactive users.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269366CAT IIAll AlmaLinux OS 9 interactive users must have a primary group that exists.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233075CAT IIThe container platform must uniquely identify and authenticate users.Container Platform Security Requirements Guide V-233076CAT IIThe container platform application program interface (API) must uniquely identify and authenticate users.Container Platform Security Requirements Guide V-233077CAT IIThe container platform must uniquely identify and authenticate processes acting on behalf of the users.Container Platform Security Requirements Guide V-233078CAT IIThe container platform application program interface (API) must uniquely identify and authenticate processes acting on behalf of the users.Container Platform Security Requirements Guide V-233612CAT IIPostgreSQL must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Crunchy Data PostgreSQL Security Technical Implementation Guide V-261890CAT IIPostgreSQL must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Crunchy Data Postgres 16 Security Technical Implementation Guide V-206554CAT IIThe DBMS must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Database Security Requirements Guide V-269787CAT IThe Dell OS10 Switch, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.Dell OS10 Switch NDM Security Technical Implementation Guide V-235780CAT IILDAP integration in Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-224165CAT IIThe EDB Postgres Advanced Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213596CAT IIThe EDB Postgres Advanced Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259964CAT IThe Enterprise Voice, Video, and Messaging Endpoint must be configured to uniquely identify participating users.Enterprise Voice, Video, and Messaging Endpoint Security Requirements Guide V-260009CAT IThe Enterprise Voice, Video, and Messaging Session Manager must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-260010CAT IThe Enterprise Voice, Video, and Messaging Session Manager must be configured to use an organizational-level user account management system.Enterprise Voice, Video, and Messaging Session Management Security Requirements Guide V-259245CAT IIThe EDB Postgres Advanced Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-215718CAT IIThe BIG-IP APM module must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users) when connecting to virtual servers.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-215719CAT IIThe BIG-IP APM module must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or authentication, authorization, and accounting (AAA) server) that validate user account access authorizations and privileges when providing access control to virtual servers.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-215720CAT IIThe BIG-IP APM module must restrict user authentication traffic to specific authentication server(s) when providing user authentication to virtual servers.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-228988CAT IThe BIG-IP appliance must be configured to uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).F5 BIG-IP Device Management Security Technical Implementation Guide V-215758CAT IIThe BIG-IP Core implementation must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users) when connecting to virtual servers.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-215759CAT IIThe BIG-IP Core implementation must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or authentication, authorization, and accounting (AAA) server) that validate user account access authorizations and privileges when providing access control to virtual servers.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-215760CAT IIThe BIG-IP Core implementation providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s) when providing access control to virtual servers.F5 BIG-IP Local Traffic Manager Security Technical Implementation Guide V-266152CAT IThe F5 BIG-IP appliance providing user authentication intermediary services must uniquely identify and authenticate users using redundant authentication servers and multifactor authentication (MFA).F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266085CAT IThe F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins.F5 BIG-IP TMOS NDM Security Technical Implementation Guide V-237576CAT IIIf user authentication services are provided, CounterACT must be configured with a pre-established trust relationship and mechanisms with a central directory service that validates user account access authorizations and privileges.ForeScout CounterACT ALG Security Technical Implementation Guide V-237577CAT IIIf user authentication services are provided, CounterACT must restrict user authentication traffic to specific authentication server(s).ForeScout CounterACT ALG Security Technical Implementation Guide V-203639CAT IIThe operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users).General Purpose Operating System Security Requirements Guide V-237825CAT IThe storage system must only be operated in conjunction with an LDAP server in a trusted environment if an Active Directory server is not available.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-237827CAT IThe storage system must only be operated in conjunction with an Active Directory server in a trusted environment if an LDAP server is not available.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-255278CAT IIThe HPE 3PAR OS must be configured for centralized account management functions via LDAP.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-255288CAT IIThe HPE 3PAR OS must provide automated mechanisms for supporting account management functions via AD.HPE 3PAR StoreServ 3.3.x Security Technical Implementation Guide V-283425CAT IThe HPE Alletra Storage ArcusOS device must be configured to use at least two authentication servers for the purpose of authenticating users prior to granting administrative access.HPE Alletra Storage ArcusOS Network Device Management Security Technical Implementation Guide V-266929CAT IAOS must be configured to use DOD public key infrastructure (PKI) as multifactor authentication (MFA) for interactive logins.HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-266995CAT IIThe VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).HPE Aruba Networking AOS VPN Security Technical Implementation Guide V-268235CAT IThe HYCU virtual appliance must be configured to use DOD-approved online certificate status protocol (OCSP) responders or certificate revocation lists (CRLs) to validate certificates used for PKI-based authentication.HYCU Protege Security Technical Implementation Guide V-215175CAT IAll accounts on AIX system must have unique account names.IBM AIX 7.x Security Technical Implementation Guide V-215176CAT IAll accounts on AIX must be assigned unique User Identification Numbers (UIDs) and must authenticate organizational and non-organizational users (or processes acting on behalf of these users).IBM AIX 7.x Security Technical Implementation Guide V-215177CAT IThe AIX SYSTEM attribute must not be set to NONE for any account.IBM AIX 7.x Security Technical Implementation Guide V-252561CAT IIIBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252589CAT IIIBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252606CAT IIIBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).IBM Aspera Platform 4.2 Security Technical Implementation Guide V-252642CAT IIThe IBM Aspera High-Speed Transfer Server must restrict the transfer user(s) to the "aspshell".IBM Aspera Platform 4.2 Security Technical Implementation Guide V-65215CAT IIThe DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).IBM DataPower ALG Security Technical Implementation Guide V-65217CAT IIThe DataPower Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.IBM DataPower ALG Security Technical Implementation Guide V-65219CAT IIThe DataPower Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s).IBM DataPower ALG Security Technical Implementation Guide V-25247CAT IIDCAF Console access must require a password to be entered by each user. IBM Hardware Management Console (HMC) STIG V-256861CAT IIDCAF Console access must require a password to be entered by each user.IBM Hardware Management Console (HMC) Security Technical Implementation Guide V-255801CAT IIThe MQ Appliance messaging server must use an enterprise user management system to uniquely identify and authenticate users (or processes acting on behalf of organizational users).IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-255735CAT IIThe MQ Appliance network device must uniquely identify and authenticate organizational administrators (or processes acting on behalf of organizational administrators).IBM MQ Appliance v9.0 NDM Security Technical Implementation Guide V-250333CAT IIThe WebSphere Liberty Server must use an LDAP user registry.IBM WebSphere Liberty Server Security Technical Implementation Guide V-250334CAT IIBasic Authentication must be disabled.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255863CAT IIThe WebSphere Application Server LDAP user registry must be used.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255864CAT IIThe WebSphere Application Server local file-based user registry must not be used.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223419CAT IIIBM z/OS Certificate Name Filtering must be implemented with appropriate authorization and documentation.IBM z/OS ACF2 Security Technical Implementation Guide V-223485CAT IIIBM z/OS Started Tasks must be properly identified and defined to ACF2.IBM z/OS ACF2 Security Technical Implementation Guide V-223493CAT IIBM z/OS UID(0) must be properly assigned.IBM z/OS ACF2 Security Technical Implementation Guide V-223494CAT IIIBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.IBM z/OS ACF2 Security Technical Implementation Guide V-223495CAT IIIBM z/OS user account for the UNIX (RMFGAT) must be properly defined.IBM z/OS ACF2 Security Technical Implementation Guide V-223496CAT IIACF2 LOGONIDs must be defined with the required fields completed.IBM z/OS ACF2 Security Technical Implementation Guide V-223497CAT IICA-ACF2 defined user accounts must uniquely identify system users.IBM z/OS ACF2 Security Technical Implementation Guide V-223525CAT IIIBM z/OS FTP Server daemon must be defined with proper security parameters.IBM z/OS ACF2 Security Technical Implementation Guide V-223591CAT IIIBM z/OS Syslog daemon must be started at z/OS initialization.IBM z/OS ACF2 Security Technical Implementation Guide V-223592CAT IIIBM z/OS Syslog daemon must be properly defined and secured.IBM z/OS ACF2 Security Technical Implementation Guide V-223605CAT IIIBM z/OS Started tasks for the Base TCP/IP component must be defined in accordance with security requirements.IBM z/OS ACF2 Security Technical Implementation Guide V-223634CAT IIIBM z/OS user account for the z/OS UNIX SUPERSUSER userid must be properly defined.IBM z/OS ACF2 Security Technical Implementation Guide V-223635CAT IIIBM z/OS UNIX user accounts must be properly defined.IBM z/OS ACF2 Security Technical Implementation Guide V-223636CAT IIIBM z/OS UNIX groups must be defined with a unique GID.IBM z/OS ACF2 Security Technical Implementation Guide V-223637CAT IIIBM z/OS Attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.IBM z/OS ACF2 Security Technical Implementation Guide V-223638CAT IIIBM z/OS Attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.IBM z/OS ACF2 Security Technical Implementation Guide V-255934CAT IIIBM Integrated Crypto Service Facility (ICSF) Started Task name must be properly identified / defined to the system ACP.IBM z/OS ACF2 Security Technical Implementation Guide V-223646CAT IICertificate Name Filtering must be implemented with appropriate authorization and documentation.IBM z/OS RACF Security Technical Implementation Guide V-223717CAT IIIBM RACF users must have the required default fields.IBM z/OS RACF Security Technical Implementation Guide V-223719CAT IIIBM z/OS Started Tasks must be properly identified and defined to RACF.IBM z/OS RACF Security Technical Implementation Guide V-223721CAT IIThe IBM RACF Automatic Data Set Protection (ADSP) SETROPTS value must be set to NOADSP.IBM z/OS RACF Security Technical Implementation Guide V-223722CAT IIIBM RACF user accounts must uniquely identify system users.IBM z/OS RACF Security Technical Implementation Guide V-223742CAT IIThe IBM z/OS FTP server daemon must be defined with proper security parameters.IBM z/OS RACF Security Technical Implementation Guide V-223813CAT IIThe IBM z/OS Syslog daemon must be started at z/OS initialization.IBM z/OS RACF Security Technical Implementation Guide V-223814CAT IIThe IBM z/OS Syslog daemon must be properly defined and secured.IBM z/OS RACF Security Technical Implementation Guide V-223856CAT IIBM z/OS UID(0) must be properly assigned.IBM z/OS RACF Security Technical Implementation Guide V-223857CAT IIIBM z/OS UNIX groups must be defined with a unique GID.IBM z/OS RACF Security Technical Implementation Guide V-223859CAT IIThe IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.IBM z/OS RACF Security Technical Implementation Guide V-223860CAT IIThe IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined.IBM z/OS RACF Security Technical Implementation Guide V-223861CAT IIThe IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.IBM z/OS RACF Security Technical Implementation Guide V-223862CAT IIIBM z/OS UNIX user accounts must be properly defined.IBM z/OS RACF Security Technical Implementation Guide V-223863CAT IIIBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.IBM z/OS RACF Security Technical Implementation Guide V-255937CAT IIIBM Integrated Crypto Service Facility (ICSF) Started Task name is not properly identified / defined to the system ACP.IBM z/OS RACF Security Technical Implementation Guide V-255938CAT IIIBM Integrated Crypto Service Facility (ICSF) Started task(s) must be properly defined to the STARTED resource class for RACF.IBM z/OS RACF Security Technical Implementation Guide V-272877CAT IIIBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements.IBM z/OS RACF Security Technical Implementation Guide V-223873CAT IIIBM z/OS must have Certificate Name Filtering implemented with appropriate authorization and documentation.IBM z/OS TSS Security Technical Implementation Guide V-223944CAT IIThe CA-TSS CPFRCVUND Control Option value specified must be set to NO.IBM z/OS TSS Security Technical Implementation Guide V-223945CAT IIThe CA-TSS CPFTARGET Control Option value specified must be set to LOCAL.IBM z/OS TSS Security Technical Implementation Guide V-223946CAT IIICA-TSS User ACIDs and Control ACIDs must have the NAME field completed.IBM z/OS TSS Security Technical Implementation Guide V-223947CAT IThe CA-TSS PASSWORD(NOPW) option must not be specified for any ACID type.IBM z/OS TSS Security Technical Implementation Guide V-223948CAT IIIInteractive ACIDs defined to CA-TSS must have the required fields completed.IBM z/OS TSS Security Technical Implementation Guide V-223950CAT IICA-TSS Batch ACID(s) submitted through RJE and NJE must be sourced.IBM z/OS TSS Security Technical Implementation Guide V-223951CAT IIIBM z/OS DASD management ACIDs must be properly defined to CA-TSS.IBM z/OS TSS Security Technical Implementation Guide V-223979CAT IIThe IBM z/OS FTP server daemon must be defined with proper security parameters.IBM z/OS TSS Security Technical Implementation Guide V-224047CAT IIThe IBM z/OS Syslog daemon must not be started at z/OS initialization.IBM z/OS TSS Security Technical Implementation Guide V-224048CAT IIThe IBM z/OS Syslog daemon must be properly defined and secured.IBM z/OS TSS Security Technical Implementation Guide V-224061CAT IIIBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements.IBM z/OS TSS Security Technical Implementation Guide V-224092CAT IIIBM z/OS attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99.IBM z/OS TSS Security Technical Implementation Guide V-224093CAT IIThe IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database.IBM z/OS TSS Security Technical Implementation Guide V-224094CAT IIThe IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined.IBM z/OS TSS Security Technical Implementation Guide V-224095CAT IIThe IBM z/OS user account for the UNIX (RMFGAT) must be properly defined.IBM z/OS TSS Security Technical Implementation Guide V-224096CAT IIBM z/OS UID(0) must be properly assigned.IBM z/OS TSS Security Technical Implementation Guide V-224097CAT IIIBM z/OS UNIX user accounts must be properly defined.IBM z/OS TSS Security Technical Implementation Guide V-224098CAT IIIBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.IBM z/OS TSS Security Technical Implementation Guide V-255942CAT IIIBM Integrated Crypto Service Facility (ICSF) Started Task name is not properly identified / defined to the system ACP.IBM z/OS TSS Security Technical Implementation Guide V-255943CAT IIIBM Integrated Crypto Service Facility (ICSF) Started task(s) must be properly defined to the Started Task Table ACID for Top Secret.IBM z/OS TSS Security Technical Implementation Guide V-259731CAT IIStarted tasks for IBM Security zSecure products must be properly defined.IBM zSecure Suite Security Technical Implementation Guide V-237917CAT IICA VM:Secure product NORULE record in the SECURITY CONFIG file must be configured to REJECT.IBM zVM Using CA VM:Secure Security Technical Implementation Guide V-224767CAT IISEC7 SPHERE must disable or delete local account created during application installation and configuration.ISEC7 Sphere Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-258588CAT IIThe ICS must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Ivanti Connect Secure VPN Security Technical Implementation Guide V-251023CAT IIThe Sentry providing mobile device access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate mobile device account access authorizations and privileges.Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251024CAT IIThe Sentry providing mobile device authentication intermediary services must restrict mobile device authentication traffic to specific authentication server(s).Ivanti MobileIron Sentry 9.x ALG Security Technical Implementation Guide V-251023CAT IIThe Sentry providing mobile device access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate mobile device account access authorizations and privileges.Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-251024CAT IIThe Sentry providing mobile device authentication intermediary services must restrict mobile device authentication traffic to specific authentication server(s).Ivanti Sentry 9.x ALG Security Technical Implementation Guide V-250994CAT ISentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.Ivanti Sentry 9.x NDM Security Technical Implementation Guide V-213526CAT IIThe JBoss Server must be configured to utilize a centralized authentication mechanism such as AD or LDAP.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-241817CAT IIAll Jamf Pro EMM server local accounts created during application installation and configuration must be disabled.Jamf Pro v10.x EMM Security Technical Implementation Guide V-66665CAT IIThe Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Juniper SRX SG VPN Security Technical Implementation Guide V-214685CAT IIThe Juniper SRX Services Gateway VPN must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-213852CAT IISQL Server must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).MS SQL Server 2014 Instance Security Technical Implementation Guide V-205488CAT IIThe Mainframe Product must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).Mainframe Product Security Requirements Guide V-253694CAT IIMariaDB must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).MariaDB Enterprise 10.x Security Technical Implementation Guide