Skip to content
ATO Pathways
  Log In

CCI-004045

Require users to be individually authenticated before granting access to the shared accounts or resources.

Logo
1

Rule

Severity: Medium
AAA Services must be configured to require users to be individually authenticated before granting access to the shared accounts or resources.
Logo
1

Rule

Severity: High
TLS must be enabled on JMX.
Logo
1

Rule

Severity: Medium
The macOS system must disable logon to other user's active and locked sessions.
Logo
1

Rule

Severity: Medium
The macOS system must disable root logon.
Logo
1

Rule

Severity: Medium
The macOS system must disable root logon for SSH.
Logo
1

Rule

Severity: Medium
The macOS system must disable login to other users' active and locked sessions.
Logo
1

Rule

Severity: Medium
The macOS system must disable root login.
Logo
1

Rule

Severity: Medium
The macOS system must disable root login for SSH.
Logo
1

Rule

Severity: Medium
The application server must authenticate users individually prior to using a group authenticator.
Logo
1

Rule

Severity: Medium
Shared/group account credentials must be terminated when members leave the group.
Logo
1

Rule

Severity: Medium
The application must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
Logo
1

Rule

Severity: Medium
The Ubuntu operating system must prevent direct login into the root account.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS must prevent direct login into the root account.
Logo
1

Rule

Severity: Medium
The Central Log Server must require users to be individually authenticated before granting access to the shared accounts or resources.
Logo
1

Rule

Severity: Medium
The Cisco ISE must change the password for the local CLI and web-based account when members who have access to the password leave the role and are no longer authorized access.
Logo
1

Rule

Severity: Medium
The container platform must ensure users are authenticated with an individual authenticator prior to using a group authenticator.
Logo
1

Rule

Severity: Medium
The container platform must terminate shared/group account credentials when members leave the group.
Logo
1

Rule

Severity: Medium
The DBMS must require users to be individually authenticated before granting access to the shared accounts or resources.
Logo
1

Rule

Severity: Medium
The DNS server implementation must require users to be individually authenticated before granting access to the shared accounts or resources.
Logo
1

Rule

Severity: Medium
Forescout must terminate the account of last resort password when members with access to the password leave the group.
Logo
3

Rule

Severity: Medium
The operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
Logo
1

Rule

Severity: Medium
Direct logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts.
Logo
1

Rule

Severity: Medium
IBM RACF user accounts must uniquely identify system users.
Logo
1

Rule

Severity: Medium
CA-TSS user accounts must uniquely identify system users.
Logo
1

Rule

Severity: High
The ICS must be configured to prevent nonprivileged users from executing privileged functions.
Logo
1

Rule

Severity: Medium
The Juniper EX switch must change credentials for account of last resort when administrators who know the credential leave the organization.
Logo
1

Rule

Severity: Medium
The Mainframe Product must verify users are authenticated with an individual authenticator prior to using a group authenticator.
Logo
1

Rule

Severity: Medium
The Mainframe Product must terminate shared/group account credentials when members leave the group.
Logo
2

Rule

Severity: Medium
MKE must be configured to integrate with an Enterprise Identity Provider.
Logo
1

Rule

Severity: Medium
Microsoft Intune service must be configured to use a DOD Central Directory Service to provide multifactor authentication for network access to privileged and nonprivileged accounts and individual and group accounts.
Logo
1

Rule

Severity: Medium
The network device must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.
Logo
2

Rule

Severity: Medium
The network device must terminate shared/group account credentials when members leave the group.
Logo
1

Rule

Severity: Medium
ONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.
Logo
1

Rule

Severity: Medium
The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
Logo
1

Rule

Severity: Medium
OL 8 must not permit direct logons to the root account using remote access via SSH.
Logo
1

Rule

Severity: Medium
Access to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.
Logo
1

Rule

Severity: Medium
Prisma Cloud Compute must be configured with unique user accounts.
Logo
1

Rule

Severity: High
The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.
Logo
1

Rule

Severity: Medium
Automation Controller must be configured to authenticate users individually, prior to using a group authenticator.
Logo
1

Rule

Severity: High
OpenShift RBAC access controls must be enforced.
Logo
1

Rule

Severity: Medium
RHEL 8 must not permit direct logons to the root account using remote access via SSH.
Logo
1

Rule

Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
Logo
1

Rule

Severity: Medium
RHEL 9 must not permit direct logons to the root account using remote access via SSH.
Logo
1

Rule

Severity: Medium
RHEL 9 must use the common access card (CAC) smart card driver.
Logo
2

Rule

Severity: Medium
The SUSE operating system must deny direct logons to the root account using remote access via SSH.
Logo
2

Rule

Severity: Medium
The Tanium cryptographic signing capabilities must be enabled on the Tanium Server.
Logo
2

Rule

Severity: Medium
The Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.
Logo
1

Rule

Severity: High
The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.
Logo
1

Rule

Severity: Medium
The password for the local account of last resort and the device password (if configured) must be changed when members who had access to the password leave the role and are no longer authorized access.
Logo
1

Rule

Severity: Medium
TOSS must not permit direct logons to the root account using remote access from outside of the system via SSH.
Logo
1

Rule

Severity: Medium
The VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.
Logo
1

Rule

Severity: Low
The ESXi host must uniquely identify and must authenticate organizational users by using Active Directory.
Logo
1

Rule

Severity: Medium
The web server must require users to be individually authenticated before granting access to the shared accounts or resources.
Logo
1

Rule

Severity: Medium
The vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.
Logo
1

Rule

Severity: Medium
The UEM server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules