800-53|SC-23

Title

SESSION AUTHENTICITY

Description

The information system protects the authenticity of communications sessions.

Supplemental

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

Reference Item Details

Related: SC-10,SC-11,SC-8

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.5.5 (L1) Ensure 'Locked' is set to 'Enabled'WindowsCIS Mozilla Firefox ESR GPO v1.0.0 L1
1.2.7 Ensure that the APIPriorityAndFairness feature gate is enabledOpenShiftCIS Red Hat OpenShift Container Platform v1.8.0 L1 OpenShift
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.11.1 L1 Master Node
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.1 Set 'password' for 'enable secret'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.4.2 Enable 'service password-encryption'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.11.1 L1 Master Node
1.4.3 Set 'username secret' for all local usersCiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.1 Set 'no snmp-server' to disable SNMP when unusedCiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.2 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.3 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.4 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.7 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.8 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS 15 L2 v4.1.1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 15 L2 v4.1.1
1.7.1 Enabling Post-Quantum (PQ) on IKEv2 VPNsPalo_AltoCIS Palo Alto Firewall 11 v1.1.0 L2
1.7.1 Enabling Post-Quantum (PQ) on IKEv2 VPNsPalo_AltoCIS Palo Alto Firewall 10 v1.2.0 L2
1.9.1.1 Ensure 'NTP authentication' is enabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.9.1.2 Ensure 'NTP authentication key' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.173 WN19-DC-000280WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.174 WN19-DC-000290WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT I
1.175 WN19-DC-000300WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT I
1.205 WN19-PK-000010WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.205 WN19-PK-000010WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 MS CAT II
1.206 WN19-PK-000020WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 MS CAT II
1.206 WN19-PK-000020WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.207 WN19-PK-000030WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.207 WN19-PK-000030WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 MS CAT II
2.0 Install & Config - 'Enable FilerView HTTPS'NetAppTNS NetApp Data ONTAP 7G
2.1.1 Turn off Bluetooth, if no paired devices existUnixCIS Apple macOS 10.14 v2.0.0 L1
2.1.1.1.1 Set the 'hostname'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.2 Set the 'ip domain-name'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'CiscoCIS Cisco IOS 15 L1 v4.1.1
10.1.2 Ensure 'SMB protocol version' is set to 'SMB 3.1.1' or higher for SMB file sharesmicrosoft_azureCIS Microsoft Azure Foundations v4.0.0 L1
10.10 Configure maxHttpHeaderSizeUnixCIS Apache Tomcat 10 L2 v1.1.0
10.10 Configure maxHttpHeaderSizeUnixCIS Apache Tomcat 10 L2 v1.1.0 Middleware
10.10 Configure maxHttpHeaderSizeUnixCIS Apache Tomcat 10.1 v1.1.0 L2
10.10 Configure maxHttpHeaderSizeUnixCIS Apache Tomcat 11 v1.0.0 L2
10.10 Configure maxHttpHeaderSizeUnixCIS Apache Tomcat 9 L2 v1.2.0
10.10 Configure maxHttpHeaderSizeUnixCIS Apache Tomcat 9 L2 v1.2.0 Middleware