800-53|SC-23

Title

SESSION AUTHENTICITY

Description

The information system protects the authenticity of communications sessions.

Supplemental

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-10,SC-11,SC-8

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabled - ConfigMaps	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabled - FeatureGates	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabled - Overrides	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.3.5 Ensure that the --bind-address argument is set to 127.0.0.1	OpenShift	CIS RedHat OpenShift Container Platform 4 v1.5.0 L1
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes Benchmark v1.8.0 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.4.1 Set 'password' for 'enable secret'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.4.2 Enable 'service password-encryption'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes Benchmark v1.8.0 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.4.3 Set 'username secret' for all local users	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.1 Set 'no snmp-server' to disable SNMP when unused	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.2 Unset 'private' for 'snmp-server community'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.3 Unset 'public' for 'snmp-server community'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.4 Do not set 'RW' for any 'snmp-server community'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.5 Set the ACL for each 'snmp-server community'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.7 Set 'snmp-server host' when using SNMP	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.8 Set 'snmp-server enable traps snmp'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3	Cisco	CIS Cisco IOS 15 L2 v4.1.1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3	Cisco	CIS Cisco IOS 15 L2 v4.1.1
2.0 Install & Config - 'Enable FilerView HTTPS'	NetApp	TNS NetApp Data ONTAP 7G
2.1.1 Turn off Bluetooth, if no paired devices exist	Unix	CIS Apple macOS 10.14 v2.0.0 L1
2.1.1.1.1 Set the 'hostname'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.2 Set the 'ip domain-name'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.2 Set version 2 for 'ip ssh version'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.2 Ensure Show Wi-Fi status in Menu Bar Is Enabled	Unix	CIS Apple macOS 12.0 Monterey v3.0.0 L1
2.1.2 Ensure Show Wi-Fi status in Menu Bar Is Enabled	Unix	CIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.1.2 Set 'no cdp run'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.3 Set 'no ip bootp server'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.4 Set 'no service dhcp'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.4 Set 'no service dhcp' - dhcp pool	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.5 Set 'no ip identd'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.6 Set 'service tcp-keepalives-in'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.8 Set 'no service pad'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.10 Ensure management GUI listens on secure TLS version	FortiGate	CIS Fortigate 7.0.x Level 1 v1.2.0
2.2 Ensure network traffic is restricted between containers on the default bridge	Unix	CIS Docker v1.6.0 L1 Docker Linux
2.18 Ensure 'Require online OCSP/CRL checks for local trust anchors' is set to 'Enabled'	Windows	CIS Google Chrome L2 v3.0.0
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 9 L2 v1.2.0
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 10 L2 v1.1.0 Middleware
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 10 L2 v1.1.0
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 9 L2 v1.2.0 Middleware

Detections

Analytics