Capacity
CCI-002038
The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.
29
Rule
Severity: Medium
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
29
Rule
Severity: Medium
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
29
Rule
Severity: Medium
Ensure Users Re-Authenticate for Privilege Escalation - sudo
29
Rule
Severity: Medium
Disallow Configuration to Bypass Password Requirements for Privilege Escalation
14
Rule
Severity: Medium
Require Re-Authentication When Using the sudo Command
1
Rule
Severity: Medium
The ALG providing user authentication intermediary services must require users to re-authenticate when organization-defined circumstances or situations require re-authentication.
1
Rule
Severity: Medium
The application server must require users to re-authenticate when organization-defined circumstances or situations require re-authentication.
2
Rule
Severity: Medium
The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
The CA API Gateway providing user authentication intermediary services must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Low
The Central Log Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls must be set to 10 and 0 respectively in Docker Enterprise.
1
Rule
Severity: Medium
CounterACT, when providing user authentication intermediary services, must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
The DataPower Gateway must require users to re-authenticate when privilege escalation or role changes occur.
2
Rule
Severity: Medium
HTTP session timeout must be configured.
1
Rule
Severity: Medium
The Mainframe Product must require users to reauthenticate when circumstances or situations require reauthentication as defined in site security plan.
1
Rule
Severity: Medium
Nutanix AOS must require users to reauthenticate for privilege escalation.
2
Rule
Severity: Medium
Prisma Cloud Compute local accounts must enforce strong password requirements.
1
Rule
Severity: Low
Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.
1
Rule
Severity: Medium
Symantec ProxySG providing user authentication intermediary services must require users to reauthenticate every 900 seconds when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
The UEM server must require users (administrators) to reauthenticate when roles change.
1
Rule
Severity: Medium
The IPsec VPN Gateway must renegotiate the security association after 8 hours or less, or an organization-defined period.
1
Rule
Severity: Medium
The VPN Gateway must renegotiate the security association after 24 hours or less or as defined by the organization.
1
Rule
Severity: Medium
Idle timeout for management application must be set to 10 minutes.
5
Rule
Severity: Medium
The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
2
Rule
Severity: Medium
The macOS system must configure sudoers timestamp type.
1
Rule
Severity: Medium
The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles.
2
Rule
Severity: Medium
The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles.
4
Rule
Severity: Medium
PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
2
Rule
Severity: Medium
The Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less.
2
Rule
Severity: Medium
The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.
1
Rule
Severity: Medium
The container platform must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
2
Rule
Severity: Medium
The EDB Postgres Advanced Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
The DBMS must require users to re-authenticate when organization-defined circumstances or situations require re-authentication.
1
Rule
Severity: Medium
The operating system must require users to re-authenticate for privilege escalation.
1
Rule
Severity: Medium
The operating system must require users to re-authenticate when changing roles.
1
Rule
Severity: Medium
The operating system must require users to re-authenticate when changing authenticators.
2
Rule
Severity: Medium
SSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
2
Rule
Severity: High
AIX must remove NOPASSWD tag from sudo config files.
2
Rule
Severity: Medium
AIX must remove !authenticate option from sudo config files.
2
Rule
Severity: Medium
If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication.
2
Rule
Severity: Medium
MariaDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
2
Rule
Severity: Medium
MongoDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
6
Rule
Severity: Medium
Users must be prompted for a password on resume from sleep (on battery).
6
Rule
Severity: Medium
The user must be prompted for a password on resume from sleep (plugged in).
8
Rule
Severity: Medium
Passwords must not be saved in the Remote Desktop Client.
8
Rule
Severity: Medium
Remote Desktop Services must always prompt a client for passwords upon connection.
8
Rule
Severity: Medium
The Windows Remote Management (WinRM) service must not store RunAs credentials.
8
Rule
Severity: Medium
User Account Control approval mode for the built-in Administrator must be enabled.
6
Rule
Severity: Medium
User Account Control must automatically deny elevation requests for standard users.
8
Rule
Severity: Medium
User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
2
Rule
Severity: Medium
User Account Control must automatically deny standard user requests for elevation.
3
Rule
Severity: Medium
Windows Server 2019 must not save passwords in the Remote Desktop Client.
3
Rule
Severity: Medium
Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.
3
Rule
Severity: Medium
Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.
3
Rule
Severity: Medium
Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.
3
Rule
Severity: Medium
Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.
3
Rule
Severity: Medium
Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
3
Rule
Severity: Medium
Windows Server 2022 must not save passwords in the Remote Desktop Client.
3
Rule
Severity: Medium
Windows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connection.
3
Rule
Severity: Medium
Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials.
3
Rule
Severity: Medium
Windows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must be enabled.
3
Rule
Severity: Medium
Windows Server 2022 User Account Control (UAC) must automatically deny standard user requests for elevation.
3
Rule
Severity: Medium
Windows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so users must re-authenticate for privilege escalation.
2
Rule
Severity: Medium
The Oracle Linux operating system must require re-authentication when using the "sudo" command.
2
Rule
Severity: Medium
The Oracle Linux operating system must not be configured to bypass password requirements for privilege escalation.
2
Rule
Severity: Medium
OL 8 must require users to provide a password for privilege escalation.
2
Rule
Severity: Medium
OL 8 must require users to reauthenticate for privilege escalation and changing roles.
1
Rule
Severity: Medium
OL 8 must require re-authentication when using the "sudo" command.
2
Rule
Severity: Medium
The OL 8 operating system must not be configured to bypass password requirements for privilege escalation.
2
Rule
Severity: Medium
The MySQL Database Server 8.0 must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
Automation Controller must be configured to use an enterprise user management system.
2
Rule
Severity: Medium
Redis Enterprise DBMS must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
2
Rule
Severity: Medium
OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.
2
Rule
Severity: Medium
RHEL 8 must require users to provide a password for privilege escalation.
2
Rule
Severity: Medium
RHEL 8 must require users to reauthenticate for privilege escalation.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.
4
Rule
Severity: High
The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.
2
Rule
Severity: Medium
RHEL 8 must require re-authentication when using the "sudo" command.
2
Rule
Severity: Medium
The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.
3
Rule
Severity: Medium
The SUSE operating system must require re-authentication when using the "sudo" command.
4
Rule
Severity: Medium
The SUSE operating system must not be configured to bypass password requirements for privilege escalation.
2
Rule
Severity: Medium
RHEL 9 must require reauthentication when using the "sudo" command.
2
Rule
Severity: Medium
RHEL 9 must require users to reauthenticate for privilege escalation.
2
Rule
Severity: Medium
RHEL 9 must restrict the use of the "su" command.
2
Rule
Severity: Medium
RHEL 9 must require users to provide a password for privilege escalation.
2
Rule
Severity: Medium
RHEL 9 must not be configured to bypass password requirements for privilege escalation.
2
Rule
Severity: Medium
Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.
1
Rule
Severity: Medium
The VMM must require users to re-authenticate for privilege escalation.
1
Rule
Severity: Medium
The VMM must require users to re-authenticate when changing roles.
1
Rule
Severity: Medium
The VMM must require users to re-authenticate when changing authenticators.
4
Rule
Severity: Medium
The Photon operating system must require users to reauthenticate for privilege escalation.
3
Rule
Severity: Medium
The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.
1
Rule
Severity: Medium
The vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.
3
Rule
Severity: Medium
The vCenter ESX Agent Manager service must set an inactive timeout for sessions.
3
Rule
Severity: Medium
The vCenter Lookup service must set an inactive timeout for sessions.
3
Rule
Severity: Medium
The vCenter Perfcharts service must set an inactive timeout for sessions.
3
Rule
Severity: Medium
The vCenter STS service must set an inactive timeout for sessions.
3
Rule
Severity: Medium
The vCenter UI service must set an inactive timeout for sessions.
1
Rule
Severity: Medium
The EDB Postgres Advanced Server must require users to re-authenticate when organization-defined circumstances or situations require re-authentication.
1
Rule
Severity: Medium
The BIG-IP APM module must require users to reauthenticate when the user's role or information authorizations are changed.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to set a "Maximum Session Timeout" value of 8 hours or less.
1
Rule
Severity: Medium
The BIG-IP Core implementation must require users to reauthenticate when the user's role, the information authorizations, and/or the maximum session timeout is exceeded for the virtual server(s).
1
Rule
Severity: Medium
Idle timeout for the management application must be set to 10 minutes.
1
Rule
Severity: Medium
The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.
1
Rule
Severity: Medium
Dragos must configure idle timeouts at 10 minutes.
1
Rule
Severity: Medium
The F5 BIG-IP appliance providing user authentication intermediary services must require users to reauthenticate when the user's role or information authorizations is changed.
1
Rule
Severity: Medium
The F5 BIG-IP appliance must be configured to set a Maximum Session Timeout value of eight hours or less.
1
Rule
Severity: Medium
The F5 BIG-IP appliance IPsec VPN Gateway must renegotiate the IPsec Phase 1 security association after eight hours or less.
1
Rule
Severity: Medium
The F5 BIG-IP appliance IPsec VPN must renegotiate the IKE Phase 2 security association after eight hours or less.
1
Rule
Severity: Medium
The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.
1
Rule
Severity: Medium
OL 8 must require reauthentication when using the "sudo" command.
1
Rule
Severity: Medium
SLEM 5 must reauthenticate users when changing authenticators, roles, or escalating privileges.
1
Rule
Severity: Medium
SLEM 5 must require reauthentication when using the "sudo" command.
1
Rule
Severity: Medium
The SUSE operating system must require reauthentication when using the "sudo" command.
1
Rule
Severity: Low
Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules