800-53|IA-2(11)

Title

REMOTE ACCESS - SEPARATE DEVICE

Description

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

Supplemental

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

Reference Item Details

Related: AC-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.10 Ensure required packages for multifactor authentication are installedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.4.1.1 Ensure latest version of pam is installedUnixCIS Rocky Linux 8 Workstation L1 v2.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS AlmaLinux OS 8 Server L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
4.4.1.1 Ensure latest version of pam is installedUnixCIS CentOS Linux 7 v4.0.0 L1 Workstation
4.4.1.1 Ensure latest version of pam is installedUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
4.4.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 8 Server L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Red Hat EL8 Workstation L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 7 v4.0.0 L1 Workstation
4.4.1.1 Ensure latest version of pam is installedUnixCIS Red Hat EL8 Server L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Rocky Linux 8 Server L1 v2.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 8 Workstation L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Amazon Linux 2 v3.0.0 L1
4.4.1.1 Ensure latest version of pam is installedUnixCIS CentOS Linux 7 v4.0.0 L1 Server
4.4.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 7 v4.0.0 L1 Server
4.4.1.1 Ensure latest version of pam is installedUnixCIS AlmaLinux OS 8 Workstation L1 v3.0.0
5.3.1.1 Ensure latest version of pam is installedUnixCIS AlmaLinux OS 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installedUnixCIS AlmaLinux OS 9 v2.0.0 L1 Workstation
5.3.1.1 Ensure latest version of pam is installedUnixCIS SUSE Linux Enterprise 15 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installedUnixCIS SUSE Linux Enterprise 15 v2.0.0 L1 Workstation
5.3.1.1 Ensure latest version of pam is installedUnixCIS Red Hat Enterprise Linux 9 v2.0.0 L1 Workstation
5.3.1.1 Ensure latest version of pam is installedUnixCIS Rocky Linux 9 v2.0.0 L1 Workstation
5.3.1.1 Ensure latest version of pam is installedUnixCIS Red Hat Enterprise Linux 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installedUnixCIS Rocky Linux 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 9 v2.0.0 L1 Workstation
AIX7-00-003200 - The AIX operating system must use Multi Factor Authentication.UnixDISA STIG AIX 7.x v3r1
AOSX-14-003025 - The macOS system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.UnixDISA STIG Apple Mac OSX 10.14 v2r6
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 Low
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-171
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
OL07-00-041001 - The Oracle Linux operating system must have the required packages for multifactor authentication installed.UnixDISA Oracle Linux 7 STIG v3r1
OL07-00-041003 - The Oracle Linux operating system must implement certificate status checking for PKI authentication.UnixDISA Oracle Linux 7 STIG v3r1
OL08-00-010390 - OL 8 must have the package required for multifactor authentication installed.UnixDISA Oracle Linux 8 STIG v2r2
RHEL-07-041001 - The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.UnixDISA Red Hat Enterprise Linux 7 STIG v3r15
RHEL-07-041003 - The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.UnixDISA Red Hat Enterprise Linux 7 STIG v3r15
RHEL-08-010390 - RHEL 8 must have the packages required for multifactor authentication installed.UnixDISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-09-215075 - RHEL 9 must have the openssl-pkcs11 package installed.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611165 - RHEL 9 must enable certificate based smart card authentication.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611175 - RHEL 9 must have the pcsc-lite package installed.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611180 - The pcscd service on RHEL 9 must be active.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611185 - RHEL 9 must have the opensc package installed.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
SLES-12-030520 - The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).UnixDISA SLES 12 STIG v3r1
SLES-15-020030 - The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).UnixDISA SLES 15 STIG v2r2