Configure the "global Package signature checking" setting to organizational standards., CC ID: 08735
Configure the "Package signature checking" setting for "all configured repositories" to organizational standards., CC ID: 08736
Configure the "verify against the package database" setting for "all installed software packages" to organizational standards., CC ID: 08737
Configure the "isdn4k-utils" package to organizational standards., CC ID: 08738
Configure the "postfix" package to organizational standards., CC ID: 08739
Configure the "vsftpd" package to organizational standards., CC ID: 08740
Configure the "net-snmpd" package to organizational standards., CC ID: 08741
Configure the "rsyslog" package to organizational standards., CC ID: 08742
Configure the "ipsec-tools" package to organizational standards., CC ID: 08743
Configure the "pam_ccreds" package to organizational standards., CC ID: 08744
Configure the "talk-server" package to organizational standards., CC ID: 08745
Configure the "talk" package to organizational standards., CC ID: 08746
Configure the "irda-utils" package to organizational standards., CC ID: 08747
Configure the "/etc/shells" file to organizational standards., CC ID: 08978
Configure the LDAP package to organizational standards., CC ID: 09937
Configure the "FTP server" package to organizational standards., CC ID: 09938
Configure the "HTTP Proxy Server" package to organizational standards., CC ID: 09939
Configure the "prelink" package to organizational standards., CC ID: 11379
Configure the Network Information Service (NIS) package to organizational standards., CC ID: 11380
Configure the "time" setting to organizational standards., CC ID: 11381
Configure the "biosdevname" package to organizational standards., CC ID: 11383
Configure the "ufw" setting to organizational standards., CC ID: 11384
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
T44: The organization shall minimize the number of connected devices, communication routes, and communications-related devices that can be accessed from external networks. The organization shall not connect unnecessary devices.
T44.2: The organization shall securely set up computers that are connect… (T44, T44.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
Unneeded operating system accounts, software, components, services and functionality are removed or disabled. (Security Control: 0380; Revision: 7, Australian Government Information Security Manual, March 2021)
DBMS software features, stored procedures, accounts and databases that are not required are disabled or removed. (Security Control: 1247; Revision: 2, Australian Government Information Security Manual, March 2021)
The organization must develop a hardened Standard Operating Environment for servers and workstations that includes removing unnecessary software, operating system components, and hardware. (Control: 0380 Bullet 1, Australian Government Information Security Manual: Controls)
The organization should disable all protocols, permissions, functions, and features, unless they are required for the business operations. (¶ 26(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
Has unnecessary (frequently vendor bundled) software been removed or disabled and do systems only have software on them that is required to meet business requirements? (Secure configuration Question 13, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
Has out-date or older software been removed from computer and network devices that are connected to or capable of connecting to the Internet? (Patch management Question 47, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
Have all unnecessary applications on each client and server been disabled? (Table Row XIII.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
Disable all unnecessary applications, ports, and protocols. (4.2.3 E, Information Supplement: PCI DSS Wireless Guidelines, Version 2.0)
Verify the system configuration standards include procedures for enabling only the necessary services, daemons, protocols, and others that are required for system functions. (Testing Procedures § 2.2.d Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Mobile devices should be subject to 'system hardening' by removing or restricting unnecessary applications (e.g., unapproved games, non-business software, and utilities). (CF.14.02.03a, The Standard of Good Practice for Information Security)
Mobile devices should be subject to 'system hardening' by removing or restricting unnecessary applications (e.g., unapproved games, non-business software, and utilities). (CF.14.02.06a, The Standard of Good Practice for Information Security, 2013)
Access services on the system should be regularly examined to ensure the available services is not being misused. (Special Action 7.2, SANS Computer Security Incident Handling, Version 2.3.1)
Uninstall or disable any unnecessary or unauthorized browser or email client plugins or add-on applications. Each plugin shall utilize application / URL whitelisting and only allow the use of the application for pre-approved domains. (Control 7.2, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
The organization should remove all older software and outdated software from the system. (Critical Control 3.5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Uninstall or disable any unauthorized browser or email client plugins or add-on applications. (CIS Control 7: Sub-Control 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins, CIS Controls, 7.1)
Uninstall or disable any unauthorized browser or email client plugins or add-on applications. (CIS Control 7: Sub-Control 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins, CIS Controls, V7)
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications. (CIS Control 9: Safeguard 9.4 Restrict Unnecessary or Unauthorized and Email Client Extensions, CIS Controls, V8)
Protection Against Malicious Code. Users need to be aware that malicious code may be introduced into their environment through network connections. Malicious code may not be detected before damage is done unless suitable safeguards are implemented. Malicious code may result in compromise of security… (¶ 13.6, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021 Restrict Web-Based Content, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
For Cisco IOS, the organization must review the servers to verify they are necessary and disable the ones that are not needed. (Table F-10, CMS Business Partners Systems Security Manual, Rev. 10)
CSR 2.1.4: The organization must disable all file system access that is not explicitly required for application, administrator, or system functionality.
CSR 10.7.9: The organization must disable all system services, ports, and network protocols that are not explicitly required for application and sy… (CSR 2.1.4, CSR 10.7.9, CSR 10.8.7, CSR 10.8.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
The agency shall configure applications, Information Systems, and services to provide only the necessary capabilities. (§ 5.7.1.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Do the configuration policies and procedures include removing or disabling unnecessary network services and Operating System services? (IT - Networks Q 25, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
The organization should review the system on an organizationally defined period to identify and restrict any unnecessary protocols, ports, services, and/or functions. (SG.CM-7 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must remove all unused and unnecessary functions and services from the Industrial Control System. (App I § SI-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization disables {organizationally documented functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure}. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization disables {organizationally documented functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure}. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization disables {organizationally documented functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure}. (CM-7(1)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)