Capacity
CCI-000766
Implement multifactor authentication for network access to non-privileged accounts.
10
Rule
Severity: Medium
Enable the GNOME3 Login Smartcard Authentication
14
Rule
Severity: Medium
Configure opensc Smart Card Drivers
5
Rule
Severity: Medium
Configure NSS DB To Use opensc
14
Rule
Severity: Medium
Force opensc To Use Defined Smart Card Driver
5
Rule
Severity: Medium
Enable Smart Card Login
30
Rule
Severity: High
Disable SSH Access via Empty Passwords
29
Rule
Severity: Medium
Enable Public Key Authentication
15
Rule
Severity: Medium
Enable Smartcards in SSSD
3
Rule
Severity: Medium
Enable Smart Card Logins in PAM
2
Rule
Severity: Medium
AAA Services must be configured to require multifactor authentication using Common Access Card (CAC) Personal Identity Verification (PIV) credentials for authenticating non-privileged user accounts.
1
Rule
Severity: High
Compliance Guardian must use multifactor authentication for network access to privileged accounts.
3
Rule
Severity: Medium
The ALG providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.
2
Rule
Severity: Medium
The application must use multifactor (e.g., CAC, Alt. Token) authentication for network access to non-privileged accounts.
2
Rule
Severity: Medium
The Central Log Server must use multifactor authentication for network access to non-privileged user accounts.
1
Rule
Severity: Medium
SAML integration must be enabled in Docker Enterprise.
1
Rule
Severity: Medium
IBM Aspera Console must be configured with a preestablished trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges.
1
Rule
Severity: Medium
IBM Aspera Faspex must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: Medium
IBM Aspera Shares must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
1
Rule
Severity: Medium
The DataPower Gateway providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.
2
Rule
Severity: Medium
The Sentry providing mobile device authentication intermediary services must use multifactor authentication for network access to non-privileged accounts.
2
Rule
Severity: High
The Juniper SRX Services Gateway VPN must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
2
Rule
Severity: Medium
The Mainframe Product must use multifactor authentication for network access to non-privileged accounts.
1
Rule
Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
1
Rule
Severity: Medium
Symantec ProxySG providing user authentication intermediary services must use multifactor authentication for network access to nonprivileged accounts.
2
Rule
Severity: Medium
Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
3
Rule
Severity: Medium
Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
1
Rule
Severity: Medium
Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
2
Rule
Severity: Medium
The Tanium Operating System (TanOS) must use multifactor authentication for network access to nonprivileged accounts.
2
Rule
Severity: High
The VPN Gateway must use multifactor authentication (e.g., DoD PKI) for network access to non-privileged accounts.
3
Rule
Severity: High
The macOS system must disable password authentication for SSH.
3
Rule
Severity: Medium
The macOS system must enforce smart card authentication.
3
Rule
Severity: Medium
The macOS system must allow smart card authentication.
2
Rule
Severity: Medium
The macOS system must enforce multifactor authentication for logon.
3
Rule
Severity: Medium
The macOS system must enforce multifactor authentication for the su command.
3
Rule
Severity: Medium
The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
1
Rule
Severity: Medium
The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.
1
Rule
Severity: Medium
The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts.
2
Rule
Severity: High
The Cisco ASA remote access VPN server must be configured to enforce certificate-based authentication before granting access to the network.
2
Rule
Severity: Medium
The container platform must use multifactor authentication for network access to non-privileged accounts.
2
Rule
Severity: Medium
The operating system must use multifactor authentication for network access to non-privileged accounts.
2
Rule
Severity: Medium
SSMC web server must enable strict two-factor authentication for access to the webUI.
2
Rule
Severity: Medium
The AIX operating system must use Multi Factor Authentication.
2
Rule
Severity: High
The ICS must be configured to use multifactor authentication (e.g., DOD PKI) for network access to nonprivileged accounts.
2
Rule
Severity: Medium
Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
1
Rule
Severity: Medium
Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
1
Rule
Severity: Medium
Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.
3
Rule
Severity: High
The DBMS must use multifactor authentication for access to user accounts.
2
Rule
Severity: High
The Oracle Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.
2
Rule
Severity: Medium
OL 8 must implement multifactor authentication for access to interactive accounts.
2
Rule
Severity: Medium
OpenShift must use multifactor authentication for network access to accounts.
1
Rule
Severity: High
The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using an empty password.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
2
Rule
Severity: Medium
RHEL 9 SSHD must accept public key authentication.
4
Rule
Severity: Medium
The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
2
Rule
Severity: High
RHEL 9 SSHD must not allow blank passwords.
1
Rule
Severity: Medium
RHEL 9 must use the CAC smart card driver.
2
Rule
Severity: Medium
The VMM must use multifactor authentication for network access to non-privileged accounts.
4
Rule
Severity: Medium
The vCenter Server must require multifactor authentication.
1
Rule
Severity: Medium
The BIG-IP APM module must use multifactor authentication for network access to non-privileged accounts.
1
Rule
Severity: Medium
The BIG-IP Core implementation providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts when granting access to virtual servers.
1
Rule
Severity: Medium
The macOS system must enforce multifactor authentication for login.
1
Rule
Severity: Medium
The application must use multifactor (e.g., CAC, Alt. Token) authentication for local access to nonprivileged accounts.
1
Rule
Severity: Medium
The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.
1
Rule
Severity: Medium
The container platform must use multifactor authentication for local access to nonprivileged accounts.
1
Rule
Severity: Medium
Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.
1
Rule
Severity: Medium
The Enterprise Voice, Video, and Messaging Endpoint must use multifactor authentication for network access to nonprivileged (nonadmin) accounts.
1
Rule
Severity: High
The F5 BIG-IP appliance providing user authentication intermediary services must uniquely identify and authenticate users using redundant authentication servers and multifactor authentication (MFA).
1
Rule
Severity: Medium
The operating system must use multifactor authentication for local access to nonprivileged accounts.
1
Rule
Severity: Medium
The Mainframe Product must use multifactor authentication for local access to nonprivileged accounts.
1
Rule
Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
1
Rule
Severity: Medium
The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
1
Rule
Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
1
Rule
Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
1
Rule
Severity: Medium
RHEL 9 must use the common access card (CAC) smart card driver.
1
Rule
Severity: Medium
SLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).
1
Rule
Severity: Medium
TOSS must use multifactor authentication for network and local access to privileged and nonprivileged accounts.
1
Rule
Severity: Medium
The VMM must use multifactor authentication for local access to nonprivileged accounts.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules