800-53|MA-4

Title

NONLOCAL MAINTENANCE

Description

The organization:

Supplemental

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

Reference Item Details

Related: AC-17,AC-2,AC-3,AC-6,AU-2,AU-3,IA-2,IA-4,IA-5,IA-8,MA-2,MA-5,MP-6,PL-2,SC-10,SC-17,SC-7

Category: MAINTENANCE

Family: MAINTENANCE

Priority: P2

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.2 Ensure that the --basic-auth-file argument is not set - ClusterOperatorsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-apiserverOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.2 Ensure that the --basic-auth-file argument is not set - openshift-kube-apiserverOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.2 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.2 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.2 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.2 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
1.2.3 Ensure that the --DenyServiceExternalIPs is not setUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.3 Ensure that the --DenyServiceExternalIPs is not setUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.3 Ensure that the --token-auth-file parameter is not set - ClusterOperatorsOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.3 Ensure that the --token-auth-file parameter is not set - KubeApiServersOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-apiserverOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.3 Ensure that the --token-auth-file parameter is not set - openshift-kube-apiserverOpenShiftCIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.3 Ensure that the DenyServiceExternalIPs is setUnixCIS Kubernetes Benchmark v1.8.0 L1 Master
2.6.7 Audit Lockdown ModeUnixCIS Apple macOS 14.0 Sonoma v1.0.0 L2
2.6.7 Audit Lockdown ModeUnixCIS Apple macOS 13.0 Ventura v2.0.0 L2
3.4 Ensure that Storage Account Access Keys are Periodically Regeneratedmicrosoft_azureCIS Microsoft Azure Foundations v2.0.0 L1
3.6.1.1 OpenSSH - InstallationUnixCIS IBM AIX 7.1 L1 v2.1.0
4.1.3.10 Ensure use of privileged commands is collectedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - creat EACCES 32 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - creat EACCES 64 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - creat EPERM 32 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - creat EPERM 64 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - ftruncate EACCES 32 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - ftruncate EACCES 64 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - ftruncate EPERM 32 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - ftruncate EPERM 64 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - open EACCES 32 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - open EACCES 64 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - open EPERM 32 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - open EPERM 64 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - openat EACCES 32 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - openat EACCES 64 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - openat EPERM 32 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - openat EPERM 64 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - truncate EACCES 32 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - truncate EACCES 64 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - truncate EPERM 32 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - truncate EPERM 64 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.13 Ensure login and logout events are collected - faillockUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.13 Ensure login and logout events are collected - lastlogUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.15 Ensure all uses of the passwd command are audited.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.16 Ensure auditing of the unix_chkpwd commandUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.17 Ensure audit of the gpasswd commandUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.18 Ensure audit all uses of chageUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.19 Ensure audit all uses of the chsh command.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
10.1 Ensure Web content directory is on a separate partition from the Tomcat system filesUnixCIS Apache Tomcat 10 L1 v1.1.0 Middleware
10.1 Ensure Web content directory is on a separate partition from the Tomcat system filesUnixCIS Apache Tomcat 10 L1 v1.1.0
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directoryUnixCIS Apache Tomcat 9 L1 v1.2.0 Middleware
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directoryUnixCIS Apache Tomcat 9 L1 v1.2.0