800-53|SC-23

Title

SESSION AUTHENTICITY

Description

The information system protects the authenticity of communications sessions.

Supplemental

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-10,SC-11,SC-8

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.5.5 (L1) Ensure 'Locked' is set to 'Enabled'	Windows	CIS Mozilla Firefox ESR GPO v1.0.0 L1
1.2.7 Ensure that the APIPriorityAndFairness feature gate is enabled	OpenShift	CIS Red Hat OpenShift Container Platform v1.8.0 L1 OpenShift
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.11.1 L1 Master Node
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.1 Set 'password' for 'enable secret'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.4.2 Enable 'service password-encryption'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.11.1 L1 Master Node
1.4.3 Set 'username secret' for all local users	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.1 Set 'no snmp-server' to disable SNMP when unused	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.2 Unset 'private' for 'snmp-server community'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.3 Unset 'public' for 'snmp-server community'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.4 Do not set 'RW' for any 'snmp-server community'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.5 Set the ACL for each 'snmp-server community'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.7 Set 'snmp-server host' when using SNMP	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.8 Set 'snmp-server enable traps snmp'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3	Cisco	CIS Cisco IOS 15 L2 v4.1.1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3	Cisco	CIS Cisco IOS 15 L2 v4.1.1
1.7.1 Enabling Post-Quantum (PQ) on IKEv2 VPNs	Palo_Alto	CIS Palo Alto Firewall 11 v1.1.0 L2
1.7.1 Enabling Post-Quantum (PQ) on IKEv2 VPNs	Palo_Alto	CIS Palo Alto Firewall 10 v1.2.0 L2
1.9.1.1 Ensure 'NTP authentication' is enabled	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
1.9.1.2 Ensure 'NTP authentication key' is configured correctly	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
1.173 WN19-DC-000280	Windows	CIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.174 WN19-DC-000290	Windows	CIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT I
1.175 WN19-DC-000300	Windows	CIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT I
1.205 WN19-PK-000010	Windows	CIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.205 WN19-PK-000010	Windows	CIS Microsoft Windows Server 2019 STIG v4.0.0 MS CAT II
1.206 WN19-PK-000020	Windows	CIS Microsoft Windows Server 2019 STIG v4.0.0 MS CAT II
1.206 WN19-PK-000020	Windows	CIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.207 WN19-PK-000030	Windows	CIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.207 WN19-PK-000030	Windows	CIS Microsoft Windows Server 2019 STIG v4.0.0 MS CAT II
2.0 Install & Config - 'Enable FilerView HTTPS'	NetApp	TNS NetApp Data ONTAP 7G
2.1.1 Turn off Bluetooth, if no paired devices exist	Unix	CIS Apple macOS 10.14 v2.0.0 L1
2.1.1.1.1 Set the 'hostname'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.2 Set the 'ip domain-name'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
10.1.2 Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file shares	microsoft_azure	CIS Microsoft Azure Foundations v4.0.0 L1
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 10 L2 v1.1.0
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 10 L2 v1.1.0 Middleware
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 10.1 v1.1.0 L2
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 11 v1.0.0 L2
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 9 L2 v1.2.0
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 9 L2 v1.2.0 Middleware

Detections

Analytics