Skip to content
ATO Pathways
  Log In

CCI-004895

Permit users to invoke the trusted communications path for communications between the user and the organization-defined security functions, including at a minimum, authentication and re-authentication.

Logo
1

Rule

Severity: Medium
Idle timeout for the management application must be set to 10 minutes.
Logo
1

Rule

Severity: Medium
The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.
Logo
1

Rule

Severity: Medium
The macOS system must configure sudoers timestamp type.
Logo
1

Rule

Severity: Medium
The application server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Logo
1

Rule

Severity: Medium
The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Logo
1

Rule

Severity: Medium
The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles.
Logo
1

Rule

Severity: Medium
Ubuntu 22.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.
Logo
1

Rule

Severity: Medium
PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Logo
1

Rule

Severity: Medium
The Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less.
Logo
1

Rule

Severity: Medium
The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.
Logo
1

Rule

Severity: Medium
The EDB Postgres Advanced Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Logo
1

Rule

Severity: Medium
SSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
Logo
1

Rule

Severity: High
AIX must remove NOPASSWD tag from sudo config files.
Logo
1

Rule

Severity: Medium
AIX must remove !authenticate option from sudo config files.
Logo
1

Rule

Severity: Medium
HTTP session timeout must be configured.
Logo
1

Rule

Severity: Medium
If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication.
Logo
1

Rule

Severity: Medium
MariaDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Logo
1

Rule

Severity: Medium
The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.
Logo
2

Rule

Severity: Medium
Users must be prompted for a password on resume from sleep (on battery).
Logo
2

Rule

Severity: Medium
The user must be prompted for a password on resume from sleep (plugged in).
Logo
2

Rule

Severity: Medium
Passwords must not be saved in the Remote Desktop Client.
Logo
2

Rule

Severity: Medium
Remote Desktop Services must always prompt a client for passwords upon connection.
Logo
2

Rule

Severity: Medium
The Windows Remote Management (WinRM) service must not store RunAs credentials.
Logo
2

Rule

Severity: Medium
User Account Control approval mode for the built-in Administrator must be enabled.
Logo
2

Rule

Severity: Medium
User Account Control must automatically deny elevation requests for standard users.
Logo
2

Rule

Severity: Medium
User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
Logo
1

Rule

Severity: Medium
Windows Server 2019 must not save passwords in the Remote Desktop Client.
Logo
1

Rule

Severity: Medium
Windows Server 2019 Remote Desktop Services must always prompt a client for passwords upon connection.
Logo
1

Rule

Severity: Medium
Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials.
Logo
1

Rule

Severity: Medium
Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled.
Logo
1

Rule

Severity: Medium
Windows Server 2019 User Account Control must automatically deny standard user requests for elevation.
Logo
1

Rule

Severity: Medium
Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC.
Logo
1

Rule

Severity: Medium
Windows Server 2022 must not save passwords in the Remote Desktop Client.
Logo
1

Rule

Severity: Medium
Windows Server 2022 Remote Desktop Services must always prompt a client for passwords upon connection.
Logo
1

Rule

Severity: Medium
Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials.
Logo
1

Rule

Severity: Medium
Windows Server 2022 User Account Control (UAC) approval mode for the built-in Administrator must be enabled.
Logo
1

Rule

Severity: Medium
Windows Server 2022 User Account Control (UAC) must automatically deny standard user requests for elevation.
Logo
1

Rule

Severity: Medium
Windows Server 2022 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC.
Logo
1

Rule

Severity: Medium
The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.
Logo
1

Rule

Severity: Medium
OL 8 must require users to provide a password for privilege escalation.
Logo
1

Rule

Severity: Medium
OL 8 must require users to reauthenticate for privilege escalation and changing roles.
Logo
1

Rule

Severity: Medium
OL 8 must require reauthentication when using the "sudo" command.
Logo
1

Rule

Severity: Medium
The Oracle Linux operating system must be configured so users must re-authenticate for privilege escalation.
Logo
1

Rule

Severity: Medium
The Oracle Linux operating system must require re-authentication when using the "sudo" command.
Logo
1

Rule

Severity: Medium
The Oracle Linux operating system must not be configured to bypass password requirements for privilege escalation.
Logo
1

Rule

Severity: Medium
The MySQL Database Server 8.0 must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Logo
1

Rule

Severity: Medium
Redis Enterprise DBMS must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.
Logo
1

Rule

Severity: Medium
The OL 8 operating system must not be configured to bypass password requirements for privilege escalation.
Logo
1

Rule

Severity: Medium
RHEL 8 must require users to provide a password for privilege escalation.
Logo
1

Rule

Severity: Medium
RHEL 8 must require users to reauthenticate for privilege escalation.
Logo
1

Rule

Severity: Medium
OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.
Logo
1

Rule

Severity: Medium
RHEL 8 must require re-authentication when using the "sudo" command.
Logo
1

Rule

Severity: Medium
The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.
Logo
1

Rule

Severity: Medium
RHEL 9 must require reauthentication when using the "sudo" command.
Logo
1

Rule

Severity: Medium
RHEL 9 must require users to reauthenticate for privilege escalation.
Logo
1

Rule

Severity: Medium
RHEL 9 must restrict the use of the "su" command.
Logo
1

Rule

Severity: Medium
RHEL 9 must require users to provide a password for privilege escalation.
Logo
1

Rule

Severity: Medium
RHEL 9 must not be configured to bypass password requirements for privilege escalation.
Logo
2

Rule

Severity: High
The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.
Logo
1

Rule

Severity: Medium
The SUSE operating system must require re-authentication when using the "sudo" command.
Logo
2

Rule

Severity: Medium
The SUSE operating system must not be configured to bypass password requirements for privilege escalation.
Logo
1

Rule

Severity: Medium
The SUSE operating system must require reauthentication when using the "sudo" command.
Logo
1

Rule

Severity: Low
Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.
Logo
1

Rule

Severity: Medium
Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.
Logo
1

Rule

Severity: Medium
TOSS must require reauthentication when using the "sudo" command.
Logo
1

Rule

Severity: Medium
TOSS must require users to reauthenticate for privilege escalation.
Logo
1

Rule

Severity: Medium
TOSS must require users to provide a password for privilege escalation.
Logo
1

Rule

Severity: Medium
The vCenter ESX Agent Manager service must set an inactive timeout for sessions.
Logo
1

Rule

Severity: Medium
The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.
Logo
1

Rule

Severity: Medium
The vCenter Lookup service must set an inactive timeout for sessions.
Logo
1

Rule

Severity: Medium
The vCenter Perfcharts service must set an inactive timeout for sessions.
Logo
1

Rule

Severity: Medium
The Photon operating system must require users to reauthenticate for privilege escalation.
Logo
1

Rule

Severity: Medium
The vCenter STS service must set an inactive timeout for sessions.
Logo
1

Rule

Severity: Medium
The vCenter UI service must set an inactive timeout for sessions.

Patternfly

PatternFly elements

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules