STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← CM-5 (1) — Access Restrictions for Change

CCI-001813

Definition

Enforce access restrictions using organization-defined mechanisms.

Parent Control

CM-5 (1)Access Restrictions for ChangeConfiguration Management

Linked STIG Checks (170)

V-213124CAT IIAdobe Acrobat Pro DC Continuous privileged file and folder locations must be disabled.Adobe Acrobat Professional DC Continuous Track Security Technical Implementation Guide V-213139CAT IIIAdobe Acrobat Pro DC Continuous privileged host locations must be disabled.Adobe Acrobat Professional DC Continuous Track Security Technical Implementation Guide V-213188CAT IIAdobe Reader DC must disable the ability to add Trusted Files and Folders.Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide V-213189CAT IIAdobe Reader DC must disable the ability to elevate IE Trusts to Privileged Locations.Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide V-279050CAT IIColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities.Adobe ColdFusion Security Technical Implementation Guide V-274044CAT IIAmazon Linux 2023 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.Amazon Linux 2023 Security Technical Implementation Guide V-274045CAT IIAmazon Linux 2023 SSH daemon must not allow Kerberos authentication.Amazon Linux 2023 Security Technical Implementation Guide V-214248CAT IApache web server application directories, libraries, and configuration files must only be accessible to privileged users.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214299CAT IIThe Apache web server application, libraries, and configuration files must only be accessible to privileged users.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214322CAT IApache web server application directories, libraries, and configuration files must only be accessible to privileged users.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214373CAT IAnonymous user access to the Apache web server application directories must be prohibited.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-222945CAT IIFiles in the $CATALINA_BASE/conf/ folder must have their permissions set to 640.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222946CAT II$CATALINA_BASE/conf folder permissions must be set to 750.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222986CAT II$CATALINA_HOME folder must be owned by the root user, group tomcat.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222987CAT II$CATALINA_BASE/conf/ folder must be owned by root, group tomcat.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222988CAT II$CATALINA_BASE/logs/ folder must be owned by tomcat user, group tomcat.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222989CAT III$CATALINA_BASE/temp/ folder must be owned by tomcat user, group tomcat.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222990CAT III$CATALINA_BASE/temp folder permissions must be set to 750.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-222991CAT II$CATALINA_BASE/work/ folder must be owned by tomcat user, group tomcat.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-252513CAT IThe macOS system must enforce access restrictions.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257219CAT IThe macOS system must disable the guest account.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-259511CAT IIThe macOS system must disable the guest account.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268443CAT IIThe macOS system must disable root login.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268472CAT IIThe macOS system must disable root login for SSH.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268510CAT IIThe macOS system must disable the guest account.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277051CAT IIThe macOS system must disable root login.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277079CAT IIThe macOS system must disable root login for SSH.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277119CAT IIThe macOS system must disable the guest account.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222511CAT IIThe application must enforce access restrictions associated with changes to application configuration.Application Security and Development Security Technical Implementation Guide V-204796CAT IIThe application server must enforce access restrictions associated with changes to application server configuration.Application Server Security Requirements Guide V-237334CAT IIThe ArcGIS Server must enforce access restrictions associated with changes to application configuration.ArcGIS for Server 10.3 Security Technical Implementation Guide V-255957CAT IIIf the Arista network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.Arista MLS EOS 4.2x NDM Security Technical Implementation Guide V-255957CAT IIIf the Arista network device uses role-based access control, the network device must enforce organization-defined role-based access control policies over defined subjects and objects.Arista MLS EOS 4.X NDM Security Technical Implementation Guide V-276005CAT IIAx-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-251603CAT IIThe commands that allow dynamic definitions of PROGRAM/TASK and the dynamic varying of memory must be secured.CA IDMS Security Technical Implementation Guide V-251604CAT IIDatabases must be secured to protect from structural changes.CA IDMS Security Technical Implementation Guide V-251605CAT IIDatabase utilities must be secured in CA IDMS and permissions given to appropriate role(s)/groups(s) in the external security manager (ESM).CA IDMS Security Technical Implementation Guide V-251606CAT IIThe online debugger which can change programs and storage in the CA IDMS address space must be secured.CA IDMS Security Technical Implementation Guide V-251640CAT IICA IDMS programs that can be run through a CA IDMS CV must be defined to the CV.CA IDMS Security Technical Implementation Guide V-269161CAT IIAlmaLinux OS 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269162CAT IIAlmaLinux OS 9 SSH daemon must not allow Kerberos authentication.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233188CAT IIThe container platform must enforce access restrictions for container platform configuration changes.Container Platform Security Requirements Guide V-270876CAT IIThe container root filesystem must be mounted as read-only.Container Platform Security Requirements Guide V-233597CAT IIPostgreSQL must enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s).Crunchy Data PostgreSQL Security Technical Implementation Guide V-261924CAT IIPostgreSQL must enforce access restrictions associated with changes to the configuration of the DBMS or database(s).Crunchy Data Postgres 16 Security Technical Implementation Guide V-206597CAT IIThe DBMS must enforce access restrictions associated with changes to the configuration of the DBMS or database(s).Database Security Requirements Guide V-235781CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-235782CAT IIA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide V-224201CAT IIThe EDB Postgres Advanced Server must enforce access restrictions associated with changes to the configuration of the EDB Postgres Advanced Server or database(s).EDB Postgres Advanced Server v11 on Windows Security Technical Implementation Guide V-213626CAT IIThe EDB Postgres Advanced Server must enforce access restrictions associated with changes to the configuration of the EDB Postgres Advanced Server or database(s).EDB Postgres Advanced Server v9.6 Security Technical Implementation Guide V-259284CAT IIThe EDB Postgres Advanced Server must enforce access restrictions associated with changes to the configuration of the EDB Postgres Advanced Server or database(s).EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-217415CAT IIThe BIG-IP appliance must be configured to enforce access restrictions associated with changes to device configuration.F5 BIG-IP Device Management Security Technical Implementation Guide V-278397CAT IINGINX must restrict access to configuration files.F5 NGINX Security Technical Implementation Guide V-230947CAT IIForescout must enforce access restrictions associated with changes to device configuration.Forescout Network Device Management Security Technical Implementation Guide V-234189CAT IIThe FortiGate device must enforce access restrictions associated with changes to device configuration.Fortinet FortiGate Firewall NDM Security Technical Implementation Guide V-203718CAT IIThe operating system must enforce access restrictions.General Purpose Operating System Security Requirements Guide V-255264CAT IISSMC web server application, libraries, and configuration files must only be accessible to privileged users.HPE 3PAR SSMC Web Server Security Technical Implementation Guide V-215246CAT IIAIX must provide audit record generation functionality for DoD-defined auditable events.IBM AIX 7.x Security Technical Implementation Guide V-213724CAT IIDB2 and the operating system must enforce access restrictions associated with changes to the configuration of DB2 or database(s).IBM DB2 V10.5 LUW Security Technical Implementation Guide V-65159CAT IIThe DataPower Gateway must enforce access restrictions associated with changes to device configuration.IBM DataPower Network Device Management Security Technical Implementation Guide V-250344CAT IIThe server.xml file must be protected from unauthorized modification.IBM WebSphere Liberty Server Security Technical Implementation Guide V-255828CAT IIThe WebSphere Application Server users in a local user registry group must be authorized for that group.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-255835CAT IIThe WebSphere Application Server users in the admin role must be authorized.IBM WebSphere Traditional V9.x Security Technical Implementation Guide V-223464CAT ICA-ACF2 must be installed, functional, and properly configured.IBM z/OS ACF2 Security Technical Implementation Guide V-223702CAT IIIBM RACF SETROPTS RVARYPW values must be properly set.IBM z/OS RACF Security Technical Implementation Guide V-224020CAT ICA-TSS must be installed and properly configured.IBM z/OS TSS Security Technical Implementation Guide V-224789CAT IIThe Apache Tomcat shutdown port must be disabled.ISEC7 Sphere Security Technical Implementation Guide V-224790CAT IIThe ISEC7 SPHERE must remove any unnecessary users or groups that have permissions to the server.xml file in Apache Tomcat.ISEC7 Sphere Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-213542CAT IIProduction JBoss servers must not allow automatic application deployment.JBoss Enterprise Application Platform 6.3 Security Technical Implementation Guide V-241803CAT IIThe MySQL DatabasePassword key must be removed or set to a blank value in the database configuration file in Jamf Pro EMM.Jamf Pro v10.x EMM Security Technical Implementation Guide V-253923CAT IIThe Juniper EX switch must be configured to enforce access restrictions associated with changes to device configuration.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-213873CAT IISQL Server and Windows must enforce access restrictions associated with changes to the configuration of the SQL Server instance or database(s).MS SQL Server 2014 Instance Security Technical Implementation Guide V-213924CAT IISQL Server must enforce access restrictions associated with changes to the configuration of the database(s).MS SQL Server 2016 Database Security Technical Implementation Guide V-213987CAT IISQL Server must enforce access restrictions associated with changes to the configuration of the instance.MS SQL Server 2016 Instance Security Technical Implementation Guide V-213988CAT IIWindows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.MS SQL Server 2016 Instance Security Technical Implementation Guide V-205566CAT IIThe Mainframe Product must enforce access restrictions associated with changes to application configuration.Mainframe Product Security Requirements Guide V-253732CAT IIMariaDB must enforce access restrictions associated with changes to the configuration of MariaDB or database(s).MariaDB Enterprise 10.x Security Technical Implementation Guide V-255319CAT IIAzure SQL Database must enforce access restrictions associated with changes to the configuration of the Azure SQL Database server or database(s).Microsoft Azure SQL Database Security Technical Implementation Guide V-276235CAT IIAzure SQL Managed Instance must enforce access restrictions associated with changes to the configuration of the database(s).Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-276308CAT IIAzure SQL Managed Instance must enforce access restrictions associated with changes to the configuration of the instance.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-276309CAT IIAzure Resource Manager must enforce access restrictions associated with changes to the configuration of Azure SQL Managed Instance.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-221255CAT IIThe Exchange software baseline copy must exist.Microsoft Exchange 2016 Edge Transport Server Security Technical Implementation Guide V-228401CAT IIAn Exchange software baseline copy must exist.Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide V-259633CAT IIThe Exchange software baseline copy must exist.Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide V-259700CAT IIAn Exchange software baseline copy must exist.Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide V-218816CAT IIAccess to web administration tools must be restricted to the web manager and the web managers designees.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-271195CAT IISQL Server must enforce access restrictions associated with changes to the configuration of the database(s).Microsoft SQL Server 2022 Database Security Technical Implementation Guide V-271349CAT IIWindows must enforce access restrictions associated with changes to the configuration of the SQL Server instance.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-271350CAT IISQL Server must enforce access restrictions associated with changes to the configuration of the instance.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-260906CAT ILeast privilege access and need to know must be required to access MKE runtime and instantiate container images.Mirantis Kubernetes Engine Security Technical Implementation Guide V-221192CAT IIMongoDB must enforce access restrictions associated with changes to the configuration of MongoDB or database(s).MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide V-252175CAT IIMongoDB must enforce access restrictions associated with changes to the configuration of MongoDB or database(s).MongoDB Enterprise Advanced 4.x Security Technical Implementation Guide V-265942CAT IIMongoDB must enforce access restrictions associated with changes to the configuration of MongoDB or database(s).MongoDB Enterprise Advanced 7.x Security Technical Implementation Guide V-279381CAT IIMongoDB must enforce access restrictions associated with changes to the configuration of MongoDB or database(s).MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-246939CAT IIONTAP must enforce access restrictions associated with changes to the device configuration.NetApp ONTAP DSC 9.x Security Technical Implementation Guide V-202106CAT IIThe network device must enforce access restrictions associated with changes to device configuration.Network Device Management Security Requirements Guide V-254108CAT IINutanix AOS must enforce access restrictions associated with changes to application server configuration.Nutanix AOS 5.20.x Application Security Technical Implementation Guide V-254189CAT IINutanix AOS must not be configured to allow GSSAPIAuthentication.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-254190CAT IINutanix AOS must not be configured to allow KerberosAuthentication.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279431CAT IINutanix AOS must enforce access restrictions associated with changes to configuration and software libraries.Nutanix Acropolis Application Server Security Technical Implementation Guide V-279578CAT IINutanix OS must prevent SSH from permitting Generic Security Service Application Program Interface (GSSAPI) authentication.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279579CAT IINutanix AHV must not be configured to allow Kerberos authentication.Nutanix Acropolis GPOS Security Technical Implementation Guide V-238454CAT IIThe DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.Oracle Database 11.2g Security Technical Implementation Guide V-237719CAT IIThe DBMS must support enforcement of logical access restrictions associated with changes to the DBMS configuration and to the database itself.Oracle Database 12c Security Technical Implementation Guide V-270512CAT IIOracle Database must support enforcement of logical access restrictions associated with changes to the database management system (DBMS) configuration and to the database itself.Oracle Database 19c Security Technical Implementation Guide V-221762CAT IIThe Oracle Linux operating system must not allow removable media to be used as the boot loader unless approved.Oracle Linux 7 Security Technical Implementation Guide V-221860CAT IIThe Oracle Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.Oracle Linux 7 Security Technical Implementation Guide V-221861CAT IIThe Oracle Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.Oracle Linux 7 Security Technical Implementation Guide V-271704CAT IIOL 9 SSH daemon must not allow Generic Security Service Application Program Interface (GSSAPI) authentication.Oracle Linux 9 Security Technical Implementation Guide V-271718CAT IIOL 9 SSH daemon must not allow Kerberos authentication.Oracle Linux 9 Security Technical Implementation Guide V-235169CAT IIThe MySQL Database Server 8.0 must enforce access restrictions associated with changes to the configuration of the MySQL Database Server 8.0 or database(s).Oracle MySQL 8.0 Security Technical Implementation Guide V-253524CAT IIUsers requiring access to Prisma Cloud Compute's Credential Store must be assigned and accessed by the appropriate role holders.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-214131CAT IIPostgreSQL must enforce access restrictions associated with changes to the configuration of PostgreSQL or database(s).PostgreSQL 9.x Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-281254CAT IIRHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Generic Security Service Application Program Interface (GSSAPI) authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281255CAT IIRHEL 10 must be configured so that the Secure Shell (SSH) daemon does not allow Kerberos authentication.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-204479CAT IIThe Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204488CAT IIThe Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204501CAT IIThe Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204575CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204598CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204599CAT IIThe Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-204621CAT IThe Red Hat Enterprise Linux operating system must not have the Trivial File Transfer Protocol (TFTP) server package installed if not required for operational support.Red Hat Enterprise Linux 7 Security Technical Implementation Guide V-258003CAT IIRHEL 9 SSH daemon must not allow GSSAPI authentication.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258004CAT IIRHEL 9 SSH daemon must not allow Kerberos authentication.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257513CAT IOpenShift role-based access controls (RBAC) must be enforced.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251209CAT IIRedis Enterprise DBMS must enforce access restrictions associated with changes to the configuration of Redis Enterprise DBMS or database(s).Redis Enterprise 6.x Security Technical Implementation Guide V-206743CAT IIThe SDN controller must be configured to enforce access restrictions associated with changes to the configuration.SDN Controller Security Requirements Guide V-279250CAT IThe Edge SWG must be configured to assign appropriate user roles or access levels to authenticated users.Symantec Edge SWG NDM Security Technical Implementation Guide V-241008CAT IITanium must prohibit user installation of software without explicit privileged status and enforce access restrictions associated with changes to application configuration.Tanium 7.0 Security Technical Implementation Guide V-234069CAT IIThe Tanium application must prohibit user installation of software without explicit privileged status.Tanium 7.3 Security Technical Implementation Guide V-254939CAT IIThe application must enforce access restrictions associated with changes to application configuration.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253796CAT IIThe application must enforce access restrictions associated with changes to application configuration.Tanium 7.x Security Technical Implementation Guide V-241164CAT IITrend Deep Security must enforce access restrictions associated with changes to application configuration.Trend Micro Deep Security 9.x Security Technical Implementation Guide V-242248CAT IIThe TippingPoint SMS must enforce access restrictions associated with changes to device configuration.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-242254CAT IThe TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-282581CAT IITOSS 5 SSH daemon must not allow Kerberos authentication.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234523CAT IIThe UEM server must enforce access restrictions associated with changes to the server configuration.Unified Endpoint Management Server Security Requirements Guide V-240080CAT IIHAProxy libraries, and configuration files must only be accessible to privileged users.VMW vRealize Automation 7.x HA Proxy Security Technical Implementation Guide V-240309CAT IIThe DBMS must enforce access restrictions associated with changes to the configuration of the DBMS or database(s).VMW vRealize Automation 7.x PostgreSQL Security Technical Implementation Guide V-239809CAT IIThe vROps PostgreSQL DB must enforce access restrictions associated with changes to the configuration of the DBMS or database(s).VMW vRealize Operations Manager 6.x PostgreSQL Security Technical Implementation Guide V-265292CAT IThe NSX Manager must assign users/accounts to organization-defined roles configured with approved authorizations.VMware NSX 4.x Manager NDM Security Technical Implementation Guide V-240265CAT IILighttpd must prohibit non-privileged accounts from accessing the application, libraries, and configuration files.VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide V-240854CAT IItc Server HORIZON application, libraries, and configuration files must only be accessible to privileged users.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240855CAT IItc Server VCO application, libraries, and configuration files must only be accessible to privileged users.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240856CAT IItc Server VCAC application, libraries, and configuration files must only be accessible to privileged users.VMware vRealize Automation 7.x tc Server Security Technical Implementation Guide V-240951CAT IIThe vAMI configuration file must be protected from unauthorized access.VMware vRealize Automation 7.x vAMI Security Technical Implementation Guide V-241710CAT IItc Server UI application, libraries, and configuration files must only be accessible to privileged users.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241711CAT IItc Server CaSa application, libraries, and configuration files must only be accessible to privileged users.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-241712CAT IItc Server API application, libraries, and configuration files must only be accessible to privileged users.VMware vRealize Operations Manager 6.x tc Server Security Technical Implementation Guide V-256653CAT IIVAMI server binaries and libraries must be verified for their integrity.VMware vSphere 7.0 VAMI Security Technical Implementation Guide V-256689CAT IIESX Agent Manager directory tree must have permissions in an out-of-the-box state.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256702CAT IIESX Agent Manager must set the secure flag for cookies.VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256722CAT IILookup Service directory tree must have permissions in an out-of-the-box state.VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256627CAT IIPerformance Charts directory tree must have permissions in an out-of-the-box state.VMware vSphere 7.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-256593CAT IIVMware Postgres configuration files must not be accessible by unauthorized users.VMware vSphere 7.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-256761CAT IIThe Security Token Service directory tree must have permissions in an out-of-the-box state.VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256794CAT IIThe vSphere UI directory tree must have permissions in an out-of-the-box state.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-256335CAT IIThe vCenter Server users must have the correct roles assigned.VMware vSphere 7.0 vCenter Security Technical Implementation Guide V-259032CAT IIThe vCenter ESX Agent Manager service files must have permissions in an out-of-the-box state.VMware vSphere 8.0 vCenter Appliance ESX Agent Manager (EAM) Security Technical Implementation Guide V-259066CAT IIThe vCenter Lookup service files must have permissions in an out-of-the-box state.VMware vSphere 8.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-259099CAT IIThe vCenter Perfcharts service files must have permissions in an out-of-the-box state.VMware vSphere 8.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-259168CAT IIThe vCenter PostgreSQL service configuration files must not be accessible by unauthorized users.VMware vSphere 8.0 vCenter Appliance PostgreSQL Security Technical Implementation Guide V-258998CAT IIThe vCenter STS service files must have permissions in an out-of-the-box state.VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide V-258921CAT IIThe vCenter Server user roles must be verified.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207470CAT IIThe VMM must enforce access restrictions associated with changes to the system.Virtual Machine Manager Security Requirements Guide V-206427CAT IIThe web server application, libraries, and configuration files must only be accessible to privileged users.Web Server Security Requirements Guide V-269569CAT IIXylok Security Suite must protect application-specific data.Xylok Security Suite 20.x Security Technical Implementation Guide V-269582CAT IIThe Xylok Security Suite configuration file must be protected.Xylok Security Suite 20.x Security Technical Implementation Guide