CCI-002038

The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.

32 rules found Severity: Medium

7 rules found Severity: Medium

4 rules found Severity: Medium

7 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

4 rules found Severity: Medium

5 rules found Severity: Medium

4 rules found Severity: Medium

5 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

CCI-002038

Ensure Users Re-Authenticate for Privilege Escalation - sudo

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

Require Re-Authentication When Using the sudo Command

Disallow Configuration to Bypass Password Requirements for Privilege Escalation

The CA API Gateway providing user authentication intermediary services must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls must be set to 10 and 0 respectively in Docker Enterprise.

CounterACT, when providing user authentication intermediary services, must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

The DataPower Gateway must require users to re-authenticate when privilege escalation or role changes occur.

Nutanix AOS must require users to reauthenticate for privilege escalation.

Symantec ProxySG providing user authentication intermediary services must require users to reauthenticate every 900 seconds when organization-defined circumstances or situations require reauthentication.

The Ubuntu operating system must require users to re-authenticate for privilege escalation and changing roles.

MongoDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation.

The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation.

The Red Hat Enterprise Linux operating system must require re-authentication when using the "sudo" command.

The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation.

The EDB Postgres Advanced Server must require users to re-authenticate when organization-defined circumstances or situations require re-authentication.

The BIG-IP APM module must require users to reauthenticate when the user's role or information authorizations are changed.

The F5 BIG-IP appliance must be configured to set a "Maximum Session Timeout" value of 8 hours or less.

The BIG-IP Core implementation must require users to reauthenticate when the user's role, the information authorizations, and/or the maximum session timeout is exceeded for the virtual server(s).

Idle timeout for the management application must be set to 10 minutes.

The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.

The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles.

The Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less.

The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.

The F5 BIG-IP appliance providing user authentication intermediary services must require users to reauthenticate when the user's role or information authorizations is changed.

The EDB Postgres Advanced Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

The F5 BIG-IP appliance must be configured to set a Maximum Session Timeout value of eight hours or less.

The F5 BIG-IP appliance IPsec VPN Gateway must renegotiate the IPsec Phase 1 security association after eight hours or less.

The F5 BIG-IP appliance IPsec VPN must renegotiate the IKE Phase 2 security association after eight hours or less.

SSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

AIX must remove NOPASSWD tag from sudo config files.

AIX must remove !authenticate option from sudo config files.

HTTP session timeout must be configured.

If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication.

The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.

Users must be prompted for a password on resume from sleep (on battery).

The user must be prompted for a password on resume from sleep (plugged in).

Passwords must not be saved in the Remote Desktop Client.

Remote Desktop Services must always prompt a client for passwords upon connection.

The Windows Remote Management (WinRM) service must not store RunAs credentials.

User Account Control approval mode for the built-in Administrator must be enabled.

User Account Control must automatically deny elevation requests for standard users.

User Account Control must run all administrators in Admin Approval Mode, enabling UAC.

User Account Control must automatically deny standard user requests for elevation.

The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.

The Oracle Linux operating system must be configured so users must re-authenticate for privilege escalation.

The Oracle Linux operating system must require re-authentication when using the "sudo" command.

The Oracle Linux operating system must not be configured to bypass password requirements for privilege escalation.

The MySQL Database Server 8.0 must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

Redis Enterprise DBMS must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

SLEM 5 must reauthenticate users when changing authenticators, roles, or escalating privileges.

SLEM 5 must require reauthentication when using the "sudo" command.

Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.

Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.

The macOS system must configure sudoers timestamp type.

The application server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

The ALG providing user authentication intermediary services must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

The application must require devices to reauthenticate when organization-defined circumstances or situations requiring reauthentication.

Ubuntu 22.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.

The Central Log Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

The container platform must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

The DBMS must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

Dragos must configure idle timeouts at 10 minutes.

The operating system must require users to reauthenticate for privilege escalation.

The operating system must require users to reauthenticate when changing roles.

The operating system must require users to reauthenticate when changing authenticators.

AOS, when used as a VPN Gateway, must renegotiate the security association after 24 hours or less or as defined by the organization.

MariaDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

Windows Server 2019 must not save passwords in the Remote Desktop Client.

Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.

Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.

Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.

Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.

Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.

Windows Server 2022 must not save passwords in the Remote Desktop Client.