CCI-000767

The information system implements multifactor authentication for local access to privileged accounts.

10 rules found Severity: Medium

4 rules found Severity: Medium

5 rules found Severity: Medium

13 rules found Severity: Medium

5 rules found Severity: Medium

7 rules found Severity: Medium

4 rules found Severity: Medium

5 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: High

4 rules found Severity: Medium

7 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

CCI-000767

Enable the GNOME3 Login Smartcard Authentication

Configure opensc Smart Card Drivers

Configure NSS DB To Use opensc

Force opensc To Use Defined Smart Card Driver

Enable Smart Card Login

Enable Public Key Authentication

Enable Smartcards in SSSD

Enable Smart Card Logins in PAM

The Arista Multilayer Switch must use multifactor authentication for local access to privileged accounts.

The DBN-6300 must use multifactor authentication for local access to privileged accounts.

SAML integration must be enabled in Docker Enterprise.

Google Android 12 must be configured to disable trust agents. Note: This requirement is not applicable (NA) for specific biometric authentication factors included in the product's Common Criteria evaluation.

The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.

Nutanix AOS must use multifactor authentication for account access.

The Samsung SDS EMM must use multifactor authentication for local access to privileged accounts.

Common Access Card (CAC)-based authentication must be enforced and enabled on the Tanium Server for network and local access with privileged and non-privileged accounts.

Common Access Card (CAC)-based authentication must be enabled on the Tanium Server for network access with privileged accounts.

Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The Workspace ONE UEM must use multifactor authentication for local access to privileged accounts.

The macOS system must use multifactor authentication for local access to privileged and non-privileged accounts.

The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.

The DBMS must use multifactor authentication for access to user accounts.

Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor, including face recognition.

Samsung Android must be configured to enable a screen-lock policy that will lock the display after a period of inactivity - Disable trust agents.

Apple iOS/iPadOS 16 must be configured to disable Auto Unlock of the iPhone by an Apple Watch.

Apple iOS/iPadOS 17 must be configured to disable "Auto Unlock" of the iPhone by an Apple Watch.

The macOS system must use multifactor authentication for local access to privileged and nonprivileged accounts.

The Ubuntu operating system must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.

Google Android 14 must be configured to disable trust agents.

Google Android 13 must be configured to disable trust agents.

The AIX operating system must use Multi Factor Authentication.

MKE must be configured to integrate with an Enterprise Identity Provider.

Suggestions of similar web pages in the event of a navigation error must be disabled.

The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management.

Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.

The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.

SLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

Samsung Android must be configured to disable authentication mechanisms providing user access to protected data other than a Password Authentication Factor: Face recognition.

Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

Multifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.

The macOS system must disable password authentication for SSH.

The macOS system must enforce smart card authentication.

The macOS system must allow smart card authentication.

The macOS system must enforce multifactor authentication for logon.

The macOS system must enforce multifactor authentication for the su command.

The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.

The application must use multifactor (Alt. Token) authentication for local access to privileged accounts.

Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

Ubuntu 22.04 LTS must implement smart card logins for multifactor authentication for local and network access to privileged and nonprivileged accounts.

Dragos Platform must use an Identity Provider (IDP) for authentication and authorization processes.

Google Android 15 must be configured to disable trust agents.

Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.

Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.

Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.

OL 8 must implement multifactor authentication for access to interactive accounts.

OpenShift must use FIPS validated LDAP or OpenIDConnect.

RHEL 9 SSHD must accept public key authentication.

RHEL 9 must use the common access card (CAC) smart card driver.

The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

The ESXi host Secure Shell (SSH) daemon must ignore ".rhosts" files.

The ESXi host Secure Shell (SSH) daemon must ignore .rhosts files.