AAA Services Security Requirements Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
AAA Services must be configured to prevent automatically disabling emergency accounts.
Emergency accounts are administrator accounts that are established in response to crisis situations where the need for rapid account activation is required. Therefore, emergency account activation ...Rule Low Severity -
AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are modified.
When application accounts are modified, user accessibility is affected. Accounts are utilized for identifying individual users or for identifying the application processes themselves. Sending notif...Rule Medium Severity -
AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account removal actions.
When application accounts are removed, user accessibility is affected. Accounts are utilized for identifying users or for identifying the application processes themselves. Sending notification of a...Rule Medium Severity -
AAA Services must be configured to automatically audit account enabling actions.
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply e...Rule Medium Severity -
AAA Services must be configured to notify system administrators (SAs) and information system security officer (ISSO) of account enabling actions.
Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply e...Rule Medium Severity -
AAA Services used for 802.1x must be configured to authenticate network endpoint devices (supplicants) before the authenticator establishes any connection.
Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. For distributed architectures (e.g., service-oriented architectures), th...Rule Medium Severity -
AAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.
Additional new EAP methods/types are still being proposed. However, the three being considered secure are EAP-TLS, EAP-TTLS, and PEAP. PEAP is the preferred EAP type to be used in DoD for its abili...Rule Medium Severity -
AAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access.
Devices having an IP address that do not pass authentication can be used to attack compliant devices if they share VLANs. When devices proceed into the NAC AAA (radius) functions they must originat...Rule Medium Severity -
AAA Services must be configured to disable accounts when the accounts are no longer associated to a user.
Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality, which reduce the attack surface of the system.Rule Medium Severity -
For password-based authentication, AAA Services must be configured to update the list of passwords on an organization-defined frequency.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter pas...Rule Medium Severity -
For password-based authentication, AAA Services must be configured to verify when users create or update passwords, and that the passwords are not on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter pas...Rule Medium Severity -
For password-based authentication, AAA Services must be configured to require immediate selection of a new password upon account recovery.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter pas...Rule Medium Severity -
For password-based authentication, AAA Services must be configured to employ automated tools to assist the user in selecting strong password authenticators.
Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter pas...Rule Medium Severity -
For public key-based authentication, AAA Services must be configured to implement a local cache of revocation data to support path discovery and validation.
Public key cryptography is a valid authentication mechanism for individuals, machines, and devices. For PKI solutions, status information for certification paths includes certificate revocation lis...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.