CCI-004046

Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

8 rules found Severity: Medium

6 rules found Severity: Medium

12 rules found Severity: Medium

10 rules found Severity: Medium

14 rules found Severity: Medium

11 rules found Severity: Medium

8 rules found Severity: Medium

12 rules found Severity: Medium

7 rules found Severity: Medium

5 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: High

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

CCI-004046

Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

The Cisco ISE must be configured to use an external authentication server to authenticate administrators prior to granting administrative access.

The DNS server implementation must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The AIX operating system must use Multi Factor Authentication.

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

The Sentry providing mobile device authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The Juniper EX switch must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

The network device must be configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.

The Oracle Linux operating system must have the required packages for multifactor authentication installed.

The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

The Oracle Linux operating system must implement certificate status checking for PKI authentication.

The Riverbed NetProfiler must be configured to use an authentication server to authenticate users prior to granting administrative access.

Multifactor authentication must be enabled on the Tanium Server for network access with privileged accounts.

Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.

TOSS must have the packages required for multifactor authentication installed.

The web server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Configure PAM in SSSD Services

Enable the GNOME3 Login Smartcard Authentication

Install the opensc Package For Multifactor Authentication

Install the pcsc-lite package

Install Smart Card Packages For Multifactor Authentication

Enable the pcscd Service

Certificate status checking in SSSD

Enable Smartcards in SSSD

Configure Smart Card Certificate Status Checking

Enable Smart Card Logins in PAM

NixOS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

The macOS system must disable password authentication for SSH.

The macOS system must enforce smart card authentication.

The application server must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The ALG providing user authentication intermediary services must implement multifactor authentication for remote access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The ALG providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

The Central Log Server must be configured to use multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

AlmaLinux OS 9 must have the opensc package installed.

The pcscd socket on AlmaLinux OS 9 must be active.

AlmaLinux OS 9 must have the pcsc-lite package installed.

AlmaLinux OS 9 must implement certificate status checking for multifactor authentication.

AlmaLinux OS 9 must enable certificate based smart card authentication.

AlmaLinux OS 9 must have the openssl-pkcs11 package installed.

The container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The Dell OS10 Switch must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.

The DBMS must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Forescout must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access.

The HYCU virtual appliance must be configured to use DOD PKI as multifactor authentication (MFA) for interactive logins.

The operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

The Juniper SRX Services Gateway must be configured to use an authentication server to centrally manage authentication and logon settings for remote and nonlocal access.

The Mainframe Product must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.

OL 8 must have the package required for multifactor authentication installed.

OL 8 must implement certificate status checking for multifactor authentication.

RHEL 8 must have the packages required for multifactor authentication installed.

RHEL 8 must implement certificate status checking for multifactor authentication.

RHEL 9 must have the openssl-pkcs11 package installed.

RHEL 9 must enable certificate based smart card authentication.

RHEL 9 must implement certificate status checking for multifactor authentication.

RHEL 9 must have the pcsc-lite package installed.

The pcscd service on RHEL 9 must be active.

RHEL 9 must have the opensc package installed.

The SUSE operating system must have the packages required for multifactor authentication to be installed.

The SUSE operating system must implement certificate status checking for multifactor authentication.

The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

The UEM server must be configured to use DOD PKI for multifactor authentication. This requirement is included in SRG-APP-000149.

The VMM must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

The VPN Client must implement multifactor authentication for network access to nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.