800-53|IA-11

Title

RE-AUTHENTICATION

Description

The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].

Supplemental

In addition to the re-authentication requirements associated with session locks, organizations may require re-authentication of individuals and/or devices in other situations including, for example: (i) when authenticators change; (ii), when roles change; (iii) when security categories of information systems change; (iv), when the execution of privileged functions occurs; (v) after a fixed period of time; or (vi) periodically.

Reference Item Details

Related: AC-11

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Priority: P0

Audit Items

View all Reference Audit Items

NamePluginAudit Name
3.070 - The system is configured to permit storage of credentials or .NET Passports.WindowsDISA Windows Vista STIG v6r41
3.129 - User Account Control - Built In Admin Approval ModeWindowsDISA Windows Vista STIG v6r41
3.131 - User Account Control - Behavior of elevation prompt for standard users.WindowsDISA Windows Vista STIG v6r41
3.137 - User Account Control - Run all admins in Admin Approval ModeWindowsDISA Windows Vista STIG v6r41
5.2.4 Ensure users must provide password for escalationUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.2.5 Ensure users must re-authenticate for privilege escalationUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.2.7 Ensure sudo authentication timeout is configured - sudo command.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.042 - Terminal Services is not configured to always prompt a client for passwords upon connection.WindowsDISA Windows Vista STIG v6r41
5.116 - Terminal Services / Remote Desktop Service - Prevent password saving in the Remote Desktop ClientWindowsDISA Windows Vista STIG v6r41
5.224 - Power Mgmt - Password Wake on BatteryWindowsDISA Windows Vista STIG v6r41
5.225 - Power Mgmt - Password Wake When Plugged InWindowsDISA Windows Vista STIG v6r41
AIX7-00-002061 - AIX must remove NOPASSWD tag from sudo config files.UnixDISA STIG AIX 7.x v2r6
AIX7-00-002062 - AIX must remove !authenticate option from sudo config files.UnixDISA STIG AIX 7.x v2r6
AIX7-00-002108 - If GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication.UnixDISA STIG AIX 7.x v2r6
AMLS-L2-000150 - The Arista Multilayer Switch must re-authenticate 802.1X connected devices every hour - dot1x timeout reauth-period 3600AristaDISA STIG Arista MLS DCS-7000 Series L2S v1r2
AMLS-L2-000150 - The Arista Multilayer Switch must re-authenticate 802.1X connected devices every hour - logging level DOT1X informationalAristaDISA STIG Arista MLS DCS-7000 Series L2S v1r2
Big Sur - Configure Sudoers to Authenticate Users on a Per -tty BasisUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Configure Sudoers to Authenticate Users on a Per -tty BasisUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Configure Sudoers to Authenticate Users on a Per -tty BasisUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Configure Sudoers to Authenticate Users on a Per -tty BasisUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Configure Sudoers to Authenticate Users on a Per -tty BasisUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Disable Password AutofillUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Disable Password AutofillUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Disable Password AutofillUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Low
Big Sur - Disable Password AutofillUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Disable Password AutofillUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Disable Password AutofillUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Disable Password AutofillUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Disable Password AutofillUnixNIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Disable Password AutofillUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Enforce Screen Saver TimeoutUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Enforce Screen Saver TimeoutUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Enforce Screen Saver TimeoutUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Enforce Screen Saver TimeoutUnixNIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Enforce Screen Saver TimeoutUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Enforce Screen Saver TimeoutUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Enforce Screen Saver TimeoutUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Enforce Screen Saver TimeoutUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Require Devices to Reauthenticate when Changing AuthenticatorsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Require Devices to Reauthenticate when Changing AuthenticatorsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Require Devices to Reauthenticate when Changing AuthenticatorsUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Require Devices to Reauthenticate when Changing AuthenticatorsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Require users to reauthenticate for privilege escalationUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Require users to reauthenticate when changing authenticatorsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Require users to reauthenticate when changing authenticatorsUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Require users to reauthenticate when changing authenticatorsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Require users to reauthenticate when changing authenticatorsUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
CASA-VN-000350 - The Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less.CiscoDISA STIG Cisco ASA VPN v1r1
CASA-VN-000360 - The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.CiscoDISA STIG Cisco ASA VPN v1r1
Catalina - Configure Sudoers to Authenticate Users on a Per -tty BasisUnixNIST macOS Catalina v1.5.0 - CNSSI 1253