800-53|SC-23

Title

SESSION AUTHENTICITY

Description

The information system protects the authenticity of communications sessions.

Supplemental

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

Reference Item Details

Related: SC-10,SC-11,SC-8

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.4.1 Set 'password' for 'enable secret'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.4.2 Enable 'service password-encryption'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.4.3 Set 'username secret' for all local usersCiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.1 Set 'no snmp-server' to disable SNMP when unusedCiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.2 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.3 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.4 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.7 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.8 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS 15 L2 v4.1.1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 15 L2 v4.1.1
1.22 DefaultCacheTimeout must be configured properly for active security domains - 'DefaultCacheTimeout <= 1800'UnixRedhat JBoss EAP 5.x
2.0 Install & Config - 'Enable FilerView HTTPS'NetAppTNS NetApp Data ONTAP 7G
2.1.1.1.1 Set the 'hostname'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.2 Set the 'ip domain-name'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.2 Set version 2 for 'ip ssh version'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.2 Set 'no cdp run'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.3 Set 'no ip bootp server'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.4 Set 'no service dhcp'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.4 Set 'no service dhcp' - dhcp poolCiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.5 Set 'no ip identd'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.6 Set 'service tcp-keepalives-in'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.8 Set 'no service pad'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.2 Ensure network traffic is restricted between containers on the default bridgeUnixCIS Docker v1.3.1 L1 Docker Linux
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface IP Address is defined'CiscoCIS Cisco IOS 15 L2 v4.1.1
2.4.1 Create a single 'interface loopback' - 'Only one loopback interface is defined'CiscoCIS Cisco IOS 15 L2 v4.1.1
2.4.2 Set AAA 'source-interface'CiscoCIS Cisco IOS 15 L2 v4.1.1
2.4.4 Set 'ip tftp source-interface' to the Loopback InterfaceCiscoCIS Cisco IOS 15 L2 v4.1.1
2.5 Ensure SNMP is configured properly - 'community name private does not exist'VMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
2.5 Ensure SNMP is configured properly - 'community name private does not exist'VMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
2.5 Ensure SNMP is configured properly - 'community name public does not exist'VMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
2.5 Ensure SNMP is configured properly - 'community name public does not exist'VMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
2.6 Ensure dvfilter API is not configured if not usedVMwareCIS VMware ESXi 6.7 v1.2.0 Level 1
2.6 Ensure dvfilter API is not configured if not usedVMwareCIS VMware ESXi 7.0 v1.1.0 Level 1
2.17 Ensure 'Require online OCSP/CRL checks for local trust anchors' is set to 'Enabled'WindowsCIS Google Chrome L2 v2.1.0
3.1.1 Ensure packet redirect sending is disabled - net.ipv4.conf.all.send_redirects (sysctl.conf/sysctl.d)UnixCIS Google Container-Optimized OS L1 Server v1.0.0
3.1.1 Ensure packet redirect sending is disabled - net.ipv4.conf.default.send_redirects (sysctl.conf/sysctl.d)UnixCIS Google Container-Optimized OS L1 Server v1.0.0
3.1.1 Ensure packet redirect sending is disabled - sysctl net.ipv4.conf.all.send_redirectsUnixCIS Google Container-Optimized OS L1 Server v1.0.0
3.1.1 Ensure packet redirect sending is disabled - sysctl net.ipv4.conf.default.send_redirectsUnixCIS Google Container-Optimized OS L1 Server v1.0.0
3.1.1 Set 'no ip source-route'CiscoCIS Cisco IOS 15 L1 v4.1.1
3.1.2 Set 'no ip proxy-arp'CiscoCIS Cisco IOS 15 L2 v4.1.1
3.1.3 Set 'no interface tunnel'CiscoCIS Cisco IOS 15 L2 v4.1.1
3.1.4 Set 'ip verify unicast source reachable-via'CiscoCIS Cisco IOS 15 L2 v4.1.1
3.2.1 Set 'ip access-list extended' to Forbid Private Source Addresses from External Networks - 'Default deny configured'CiscoCIS Cisco IOS 15 L2 v4.1.1