800-53|MA-4

Title

NONLOCAL MAINTENANCE

Description

The organization:

Supplemental

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-17,AC-2,AC-3,AC-6,AU-2,AU-3,IA-2,IA-4,IA-5,IA-8,MA-2,MA-5,MP-6,PL-2,SC-10,SC-17,SC-7

Category: MAINTENANCE

Family: MAINTENANCE

Priority: P2

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.2 Ensure that the --basic-auth-file argument is not set - ClusterOperators	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-apiserver	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-kube-apiserver	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.2 Ensure that the --token-auth-file parameter is not set	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.2 Ensure that the --token-auth-file parameter is not set	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.2 Ensure that the --token-auth-file parameter is not set	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.2 Ensure that the --token-auth-file parameter is not set	Unix	CIS Kubernetes Benchmark v1.8.0 L1 Master
1.2.3 Ensure that the --DenyServiceExternalIPs is not set	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.3 Ensure that the --DenyServiceExternalIPs is not set	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.3 Ensure that the --token-auth-file parameter is not set - ClusterOperators	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.3 Ensure that the --token-auth-file parameter is not set - KubeApiServers	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-apiserver	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-kube-apiserver	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.3 Ensure that the DenyServiceExternalIPs is set	Unix	CIS Kubernetes Benchmark v1.8.0 L1 Master
2.6.7 Audit Lockdown Mode	Unix	CIS Apple macOS 14.0 Sonoma v1.0.0 L2
2.6.7 Audit Lockdown Mode	Unix	CIS Apple macOS 13.0 Ventura v2.0.0 L2
3.4 Ensure that Storage Account Access Keys are Periodically Regenerated	microsoft_azure	CIS Microsoft Azure Foundations v2.0.0 L1
3.6.1.1 OpenSSH - Installation	Unix	CIS IBM AIX 7.1 L1 v2.1.0
4.1.3.10 Ensure use of privileged commands is collected	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - creat EACCES 32 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - creat EACCES 64 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - creat EPERM 32 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - creat EPERM 64 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - ftruncate EACCES 32 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - ftruncate EACCES 64 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - ftruncate EPERM 32 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - ftruncate EPERM 64 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - open EACCES 32 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - open EACCES 64 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - open EPERM 32 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - open EPERM 64 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - openat EACCES 32 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - openat EACCES 64 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - openat EPERM 32 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - openat EPERM 64 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - truncate EACCES 32 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - truncate EACCES 64 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - truncate EPERM 32 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - truncate EPERM 64 bit	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.13 Ensure login and logout events are collected - faillock	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.13 Ensure login and logout events are collected - lastlog	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.15 Ensure all uses of the passwd command are audited.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.16 Ensure auditing of the unix_chkpwd command	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.17 Ensure audit of the gpasswd command	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.18 Ensure audit all uses of chage	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.19 Ensure audit all uses of the chsh command.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files	Unix	CIS Apache Tomcat 10 L1 v1.1.0
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files	Unix	CIS Apache Tomcat 10 L1 v1.1.0 Middleware
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directory	Unix	CIS Apache Tomcat 9 L1 v1.2.0
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directory	Unix	CIS Apache Tomcat 9 L1 v1.2.0 Middleware

Detections

Analytics