Detections
Analytics

800-53|IA-2(1)

Title

NETWORK ACCESS TO PRIVILEGED ACCOUNTS

Description

The information system implements multifactor authentication for network access to privileged accounts.

Reference Item Details

Related: AC-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.3.8.1 Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - certificateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - keyUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.30 Ensure that the API Server only makes use of Strong Cryptographic CiphersUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service AccountsGCPCIS Google Cloud Platform Foundation v4.0.0 L1
1.2.1 Set the 'hostname'CiscoCIS Cisco IOS XR 7.x v1.0.1 L1
1.2.2 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'CiscoCIS Cisco IOS XR 7.x v1.0.1 L1
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS XE 17.x v2.2.1 L1
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.2.2 Set 'transport input ssh' for 'line vty' connectionsCiscoCIS Cisco IOS 15 L1 v4.1.1
1.2.3 Ensure HTTP and Telnet options are disabled for the management interfacePalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.3 Set 'seconds' for 'ssh timeout' for 60 seconds or lessCiscoCIS Cisco IOS XR 7.x v1.0.1 L1
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTPPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - TelnetPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.2.4.2.1.15 Set 'Configure use of smart cards on fixed data drives' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.15 Set 'Require additional authentication at startup' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.25 Set 'Allow enhanced PINs for startup' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Authentication ProfilePalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Certificate ProfilesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.2.5 Ensure valid certificate is set for browser-based administrator interface - CertificatesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
1.3 Ensure that Security Key Enforcement is Enabled for All Admin AccountsGCPCIS Google Cloud Platform Foundation v4.0.0 L2
1.4 Ensure MFA is enabled for the 'root' user accountamazon_awsCIS Amazon Web Services Foundations v5.0.0 L1
1.4 Ensure multi-factor authentication (MFA) is turned on for all human users with password-based authenticationSnowflakeCIS Snowflake Foundations v1.0.0 L1
1.5 Ensure hardware MFA is enabled for the 'root' user accountamazon_awsCIS Amazon Web Services Foundations v5.0.0 L2
1.5.1 Ensure 'V3' is selected for SNMP pollingPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.5.2 Log all Successful and Failed Administrative LoginsCiscoCIS Cisco NX-OS v1.2.0 L2
1.5.7 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS XR 7.x v1.0.1 L2
1.5.8 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS XR 7.x v1.0.1 L2
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS XE 17.x v2.2.1 L1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS XE 17.x v2.2.1 L1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 12 L2 v4.0.0
1.10 Ensure required packages for multifactor authentication are installedUnixCIS Amazon Linux 2 STIG v2.0.0 STIG
1.13 Ensure the operating system has the packages required for multifactor authenticationUnixCIS Red Hat Enterprise Linux 8 STIG v2.0.0 STIG
1.19 UBTU-24-100650UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.20 UBTU-24-100660UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.30 UBTU-24-100910UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.59 APPL-14-001150UnixCIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT I
1.102 UBTU-22-612010UnixCIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT II
1.104 UBTU-22-612020UnixCIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT II
1.124 APPL-14-003020UnixCIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT II
1.125 APPL-14-003030UnixCIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT II
1.126 APPL-14-003050UnixCIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT II
1.127 APPL-14-003051UnixCIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT II
1.128 APPL-14-003052UnixCIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT II
1.185 OL08-00-020250UnixCIS Oracle Linux 8 STIG v1.0.0 CAT II
1.208 RHEL-09-255035UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.225 WN10-SO-000251WindowsCIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.339 RHEL-09-611160UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.340 RHEL-09-611165UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II