Skip to content
Log In

CCI-000877

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

Enable PAM

33 rules found Severity: Medium

Logo

Use Only FIPS 140-2 Validated Ciphers

22 rules found Severity: Medium

Logo

Use Only FIPS 140-2 Validated MACs

20 rules found Severity: Medium

Logo

Set kernel parameter 'crypto.fips_enabled' to 1

11 rules found Severity: High

Logo

Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config

7 rules found Severity: Medium

Logo

Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config

6 rules found Severity: Medium

Logo

Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config

1 rule found Severity: High

Logo

Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config

1 rule found Severity: Medium

Logo

User credentials which would allow remote access to the system by the Service Processor must be removed from the storage system.

1 rule found Severity: High

Logo

The Infoblox system must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.

1 rule found Severity: Medium

Logo

The Infoblox system must be configured to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

1 rule found Severity: Medium

Logo

Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

1 rule found Severity: High

Logo

Oracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.

1 rule found Severity: Medium

Logo

Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

2 rules found Severity: Medium

Logo

The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.

2 rules found Severity: High

Logo

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.

2 rules found Severity: High

Logo

The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.

2 rules found Severity: High

Logo

The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.

2 rules found Severity: Medium

Logo

The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.

1 rule found Severity: High

Logo

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.

1 rule found Severity: High

Logo

The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.

1 rule found Severity: High

Logo

The DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

2 rules found Severity: Medium

Logo

SSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

1 rule found Severity: Medium

Logo

AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

1 rule found Severity: High

Logo

The Windows Remote Management (WinRM) client must not use Basic authentication.

3 rules found Severity: High

Logo

The Windows Remote Management (WinRM) service must not use Basic authentication.

3 rules found Severity: High

Logo

The Windows Remote Management (WinRM) client must not use Digest authentication.

3 rules found Severity: Medium

Logo

The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.

1 rule found Severity: Medium

Logo

SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.

1 rule found Severity: High

Logo

SLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms.

1 rule found Severity: High

Logo

The TOSS operating system must implement DoD-approved encryption in the OpenSSL package.

1 rule found Severity: Medium

Logo

Enable FIPS Mode

10 rules found Severity: High

Logo

Configure System Cryptography Policy

17 rules found Severity: High

Logo

Enable Dracut FIPS Module

8 rules found Severity: High

Logo

NixOS must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

1 rule found Severity: High

Logo

The macOS system must disable password authentication for SSH.

2 rules found Severity: High

Logo

The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.

1 rule found Severity: Medium

Logo

AlmaLinux OS 9 must use the TuxCare FIPS repository.

1 rule found Severity: High

Logo

AlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.

1 rule found Severity: High

Logo

AlmaLinux OS 9 must enable FIPS mode.

1 rule found Severity: High

Logo

AlmaLinux OS 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.

1 rule found Severity: High

Logo

The container platform must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.

1 rule found Severity: Medium

Logo

The operating system must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

1 rule found Severity: High

Logo

CA-ACF2 defined user accounts must uniquely identify system users.

1 rule found Severity: Medium

Logo

IBM RACF user accounts must uniquely identify system users.

1 rule found Severity: Medium

Logo

CA-TSS user accounts must uniquely identify system users.

1 rule found Severity: Medium

Logo

Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.

1 rule found Severity: High

Logo

Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.

1 rule found Severity: Medium

Logo

Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.

1 rule found Severity: High

Logo

Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication.

1 rule found Severity: High

Logo

Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication.

1 rule found Severity: Medium

Logo

Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication.

1 rule found Severity: High

Logo

Prisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL).

1 rule found Severity: High

Logo

OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

1 rule found Severity: High

Logo

The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.

1 rule found Severity: Medium

Logo

The OL 8 SSH server must be configured to use only ciphers employing FIPS 140-2 validated cryptographic algorithms.

1 rule found Severity: Medium

Logo

Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.

1 rule found Severity: High

Logo

RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.

1 rule found Severity: High

Logo

RHEL 9 must enable FIPS mode.

1 rule found Severity: High

Logo

The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

2 rules found Severity: Medium

Logo

The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).

2 rules found Severity: Medium

Logo

The VMM must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

1 rule found Severity: Medium

Logo

The Photon operating system must use an OpenSSH server version that does not support protocol 1.

1 rule found Severity: Medium

Logo