Capacity
CCI-004895
Permit users to invoke the trusted communications path for communications between the user and the organization-defined security functions, including at a minimum, authentication and re-authentication.
1
Rule
Severity: Medium
Idle timeout for the management application must be set to 10 minutes.
1
Rule
Severity: Medium
The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
1
Rule
Severity: Medium
The macOS system must configure sudoers timestamp type.
1
Rule
Severity: Medium
The application server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.
1
Rule
Severity: Medium
PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
The Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less.
1
Rule
Severity: Medium
The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.
1
Rule
Severity: Medium
The EDB Postgres Advanced Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
SSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
1
Rule
Severity: High
AIX must remove NOPASSWD tag from sudo config files.
1
Rule
Severity: Medium
AIX must remove !authenticate option from sudo config files.
1
Rule
Severity: Medium
HTTP session timeout must be configured.
1
Rule
Severity: Medium
If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication.
1
Rule
Severity: Medium
MariaDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.
2
Rule
Severity: Medium
Users must be prompted for a password on resume from sleep (on battery).
2
Rule
Severity: Medium
The user must be prompted for a password on resume from sleep (plugged in).
2
Rule
Severity: Medium
Passwords must not be saved in the Remote Desktop Client.
2
Rule
Severity: Medium
Remote Desktop Services must always prompt a client for passwords upon connection.
2
Rule
Severity: Medium
The Windows Remote Management (WinRM) service must not store RunAs credentials.
2
Rule
Severity: Medium
User Account Control approval mode for the built-in Administrator must be enabled.
2
Rule
Severity: Medium
User Account Control must automatically deny elevation requests for standard users.
2
Rule
Severity: Medium
User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
1
Rule
Severity: Medium
Windows Server 2019 must not save passwords in the Remote Desktop Client.
1
Rule
Severity: Medium
Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.
1
Rule
Severity: Medium
Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.
1
Rule
Severity: Medium
Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.
1
Rule
Severity: Medium
Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.
1
Rule
Severity: Medium
Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
1
Rule
Severity: Medium
Windows Server 2022 must not save passwords in the Remote Desktop Client.
1
Rule
Severity: Medium
Windows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connection.
1
Rule
Severity: Medium
Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials.
1
Rule
Severity: Medium
Windows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must be enabled.
1
Rule
Severity: Medium
Windows Server 2022 User Account Control (UAC) must automatically deny standard user requests for elevation.
1
Rule
Severity: Medium
Windows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC.
1
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.
1
Rule
Severity: Medium
OL 8 must require users to provide a password for privilege escalation.
1
Rule
Severity: Medium
OL 8 must require users to reauthenticate for privilege escalation and changing roles.
1
Rule
Severity: Medium
OL 8 must require reauthentication when using the "sudo" command.
1
Rule
Severity: Medium
The Oracle Linux operating system must be configured so users must re-authenticate for privilege escalation.
1
Rule
Severity: Medium
The Oracle Linux operating system must require re-authentication when using the "sudo" command.
1
Rule
Severity: Medium
The Oracle Linux operating system must not be configured to bypass password requirements for privilege escalation.
1
Rule
Severity: Medium
The MySQL Database Server 8.0 must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
Redis Enterprise DBMS must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
1
Rule
Severity: Medium
The OL 8 operating system must not be configured to bypass password requirements for privilege escalation.
1
Rule
Severity: Medium
RHEL 8 must require users to provide a password for privilege escalation.
1
Rule
Severity: Medium
RHEL 8 must require users to reauthenticate for privilege escalation.
1
Rule
Severity: Medium
OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.
1
Rule
Severity: Medium
RHEL 8 must require re-authentication when using the "sudo" command.
1
Rule
Severity: Medium
The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.
1
Rule
Severity: Medium
RHEL 9 must require reauthentication when using the "sudo" command.
1
Rule
Severity: Medium
RHEL 9 must require users to reauthenticate for privilege escalation.
1
Rule
Severity: Medium
RHEL 9 must restrict the use of the "su" command.
1
Rule
Severity: Medium
RHEL 9 must require users to provide a password for privilege escalation.
1
Rule
Severity: Medium
RHEL 9 must not be configured to bypass password requirements for privilege escalation.
2
Rule
Severity: High
The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.
1
Rule
Severity: Medium
The SUSE operating system must require re-authentication when using the "sudo" command.
2
Rule
Severity: Medium
The SUSE operating system must not be configured to bypass password requirements for privilege escalation.
1
Rule
Severity: Medium
The SUSE operating system must require reauthentication when using the "sudo" command.
1
Rule
Severity: Low
Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.
1
Rule
Severity: Medium
Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.
1
Rule
Severity: Medium
TOSS must require reauthentication when using the "sudo" command.
1
Rule
Severity: Medium
TOSS must require users to reauthenticate for privilege escalation.
1
Rule
Severity: Medium
TOSS must require users to provide a password for privilege escalation.
1
Rule
Severity: Medium
The vCenter ESX Agent Manager service must set an inactive timeout for sessions.
1
Rule
Severity: Medium
The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.
1
Rule
Severity: Medium
The vCenter Lookup service must set an inactive timeout for sessions.
1
Rule
Severity: Medium
The vCenter Perfcharts service must set an inactive timeout for sessions.
1
Rule
Severity: Medium
The Photon operating system must require users to reauthenticate for privilege escalation.
1
Rule
Severity: Medium
The vCenter STS service must set an inactive timeout for sessions.
1
Rule
Severity: Medium
The vCenter UI service must set an inactive timeout for sessions.
16
Rule
Severity: Medium
Enforce usage of pam_wheel for su authentication
25
Rule
Severity: Medium
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
25
Rule
Severity: Medium
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
25
Rule
Severity: Medium
Ensure Users Re-Authenticate for Privilege Escalation - sudo
24
Rule
Severity: Medium
Disallow Configuration to Bypass Password Requirements for Privilege Escalation
13
Rule
Severity: Medium
Require Re-Authentication When Using the sudo Command
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules