CCI-004895

Permit users to invoke the trusted communications path for communications between the user and the organization-defined security functions, including at a minimum, authentication and re-authentication.

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

16 rules found Severity: Medium

25 rules found Severity: Medium

24 rules found Severity: Medium

14 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

CCI-004895

Idle timeout for the management application must be set to 10 minutes.

The Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles.

PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

The Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less.

The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.

The EDB Postgres Advanced Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

SSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

AIX must remove NOPASSWD tag from sudo config files.

AIX must remove !authenticate option from sudo config files.

HTTP session timeout must be configured.

If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication.

The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.

Users must be prompted for a password on resume from sleep (on battery).

The user must be prompted for a password on resume from sleep (plugged in).

Passwords must not be saved in the Remote Desktop Client.

Remote Desktop Services must always prompt a client for passwords upon connection.

The Windows Remote Management (WinRM) service must not store RunAs credentials.

User Account Control approval mode for the built-in Administrator must be enabled.

User Account Control must automatically deny elevation requests for standard users.

User Account Control must run all administrators in Admin Approval Mode, enabling UAC.

The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.

The Oracle Linux operating system must be configured so users must re-authenticate for privilege escalation.

The Oracle Linux operating system must require re-authentication when using the "sudo" command.

The Oracle Linux operating system must not be configured to bypass password requirements for privilege escalation.

The MySQL Database Server 8.0 must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

Redis Enterprise DBMS must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.

Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.

TOSS must require reauthentication when using the "sudo" command.

TOSS must require users to reauthenticate for privilege escalation.

TOSS must require users to provide a password for privilege escalation.

Enforce usage of pam_wheel for su authentication

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

Ensure Users Re-Authenticate for Privilege Escalation - sudo

Disallow Configuration to Bypass Password Requirements for Privilege Escalation

Require Re-Authentication When Using the sudo Command

The macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.

The macOS system must configure sudoers timestamp type.

The application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

Ubuntu 22.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.

MariaDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.

OL 8 must require users to provide a password for privilege escalation.

OL 8 must require users to reauthenticate for privilege escalation and changing roles.

OL 8 must require reauthentication when using the "sudo" command.

OpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.

The OL 8 operating system must not be configured to bypass password requirements for privilege escalation.

RHEL 8 must require users to provide a password for privilege escalation.

RHEL 8 must require users to reauthenticate for privilege escalation.

RHEL 8 must require re-authentication when using the "sudo" command.

The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.

RHEL 9 must require reauthentication when using the "sudo" command.

RHEL 9 must require users to reauthenticate for privilege escalation.

RHEL 9 must restrict the use of the "su" command.

RHEL 9 must require users to provide a password for privilege escalation.

RHEL 9 must not be configured to bypass password requirements for privilege escalation.

The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.

The SUSE operating system must require re-authentication when using the "sudo" command.

The SUSE operating system must not be configured to bypass password requirements for privilege escalation.

The SUSE operating system must require reauthentication when using the "sudo" command.

The vCenter ESX Agent Manager service must set an inactive timeout for sessions.

The vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.

The vCenter Lookup service must set an inactive timeout for sessions.

The vCenter Perfcharts service must set an inactive timeout for sessions.

The Photon operating system must require users to reauthenticate for privilege escalation.

The vCenter STS service must set an inactive timeout for sessions.

The vCenter UI service must set an inactive timeout for sessions.