Capacity
CCI-001941
Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts.
1
Rule
Severity: Medium
The A10 Networks ADC must implement replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: Medium
Local administrator accounts on domain systems must not share the same password.
2
Rule
Severity: Medium
The application server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
2
Rule
Severity: High
The Arista network devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.
2
Rule
Severity: Medium
The application must implement replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: Medium
The Central Log Server must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: Medium
The DBN-6300 must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: High
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
1
Rule
Severity: Medium
The FortiGate device must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: High
DoD-approved encryption must be implemented to protect the confidentiality and integrity of remote access sessions, information during preparation for transmission, information during reception, and information during transmission in addition to enforcing replay-resistant authentication mechanisms for network access to privileged accounts.
7
Rule
Severity: Medium
The network device must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: Medium
When connecting to the MQ Appliance network device using the WebGUI, it must implement replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: Medium
The WebSphere Application Server must provide security extensions to extend the SOAP protocol and provide secure authentication when accessing sensitive data.
2
Rule
Severity: Medium
The Juniper router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: Medium
SharePoint must use replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: Medium
ONTAP must implement replay-resistant authentication mechanisms for network access to privileges accounts.
1
Rule
Severity: Medium
Nutanix AOS must implement replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.
1
Rule
Severity: Medium
Riverbed Optimization System (RiOS) must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: High
Innoslate must use TLS 1.2, at a minimum, to protect the confidentiality of sensitive data during electronic dissemination using remote access.
4
Rule
Severity: Medium
Splunk Enterprise must use HTTPS/SSL for access to the user interface.
2
Rule
Severity: Medium
Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
1
Rule
Severity: Medium
Symantec ProxySG must implement HTTPS-console to provide replay-resistant authentication mechanisms for network access to privileged accounts.
3
Rule
Severity: Medium
Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
1
Rule
Severity: Medium
Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.
2
Rule
Severity: High
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
2
Rule
Severity: High
The UEM server must use FIPS-validated SHA-2 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: High
The macOS system must disable the SSHD service.
3
Rule
Severity: High
The macOS system must disable password authentication for SSH.
3
Rule
Severity: Medium
The macOS system must enforce smart card authentication.
3
Rule
Severity: Medium
The macOS system must allow smart card authentication.
2
Rule
Severity: Medium
The macOS system must enforce multifactor authentication for logon.
3
Rule
Severity: Medium
The macOS system must enforce multifactor authentication for the su command.
3
Rule
Severity: Medium
The macOS system must enforce multifactor authentication for privilege escalation through the sudo command.
1
Rule
Severity: High
The Ubuntu operating system must enforce SSHv2 for network access to all accounts.
2
Rule
Severity: Medium
The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
4
Rule
Severity: High
The Cisco router must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.
4
Rule
Severity: High
The Cisco switch must be configured to use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of remote maintenance sessions.
2
Rule
Severity: Medium
The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: Medium
For accounts using password authentication, the Cisco ISE must implement replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: Medium
The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: Medium
The container platform must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: Medium
The operating system must implement replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: High
The HPE 3PAR OS CIMserver process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
2
Rule
Severity: High
The HPE 3PAR OS WSAPI process must be configured to use approved encryption and communications protocols to protect the confidentiality of remote access sessions.
2
Rule
Severity: High
AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
2
Rule
Severity: Medium
The ICS must be configured to audit the execution of privileged functions such as accounts additions and changes.
2
Rule
Severity: Medium
The Juniper EX switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: Medium
Kerberos user logon restrictions must be enforced.
2
Rule
Severity: Medium
The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
2
Rule
Severity: Medium
The Kerberos user ticket lifetime must be limited to 10 hours or less.
2
Rule
Severity: Medium
The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
2
Rule
Severity: Medium
The computer clock synchronization tolerance must be limited to 5 minutes or less.
1
Rule
Severity: Medium
Windows Server 2019 Kerberos user logon restrictions must be enforced.
2
Rule
Severity: Medium
Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
2
Rule
Severity: Medium
Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less.
2
Rule
Severity: Medium
Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
2
Rule
Severity: Medium
Windows Server 2019 computer clock synchronization tolerance must be limited to five minutes or less.
2
Rule
Severity: Medium
Windows Server 2022 Kerberos user logon restrictions must be enforced.
2
Rule
Severity: Medium
Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less.
2
Rule
Severity: Medium
Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less.
2
Rule
Severity: Medium
Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.
2
Rule
Severity: Medium
Windows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less.
2
Rule
Severity: Medium
The Palo Alto Networks security platform must implement replay-resistant authentication mechanisms for network access to privileged accounts.
2
Rule
Severity: Medium
OpenShift must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: Medium
RHEL 9 must use the CAC smart card driver.
4
Rule
Severity: Medium
The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).
2
Rule
Severity: Medium
The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts.
1
Rule
Severity: Low
The ESXi host must use Active Directory for local user authentication.
3
Rule
Severity: Low
The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.
1
Rule
Severity: Medium
The Photon operating system must use an OpenSSH server version that does not support protocol 1.
1
Rule
Severity: Medium
The macOS system must enforce multifactor authentication for login.
1
Rule
Severity: Medium
The ALG providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1
Rule
Severity: Medium
The application must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1
Rule
Severity: Medium
The container platform must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1
Rule
Severity: Medium
Dragos must allow only the individuals appointed by the information system security manager (ISSM) to have full admin rights to the system.
1
Rule
Severity: Medium
The operating system must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1
Rule
Severity: Medium
The Sentry providing mobile device authentication intermediary services must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1
Rule
Severity: Medium
The Juniper SRX Services Gateway VPN must use anti-replay mechanisms for security associations.
1
Rule
Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
1
Rule
Severity: Medium
The built-in DNS client must be disabled.
1
Rule
Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
1
Rule
Severity: Medium
RHEL 9 must use the common access card (CAC) smart card driver.
1
Rule
Severity: High
SLEM 5 must have SSH installed to protect the confidentiality and integrity of transmitted information.
1
Rule
Severity: High
The NSX Manager must only enable TLS 1.2 or greater.
1
Rule
Severity: Medium
The VMM must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1
Rule
Severity: Medium
The TLS VPN must be configured to use replay-resistant authentication mechanisms for network access to nonprivileged accounts.
1
Rule
Severity: Medium
The IPsec VPN Gateway must use anti-replay mechanisms for security associations.
1
Rule
Severity: Medium
The vCenter Server must use DOD-approved encryption to protect the confidentiality of network sessions.
1
Rule
Severity: Medium
The UEM server must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules