CCI|CCI-001941

Title

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

Reference Item Details

Category: 2013

Audit Items

View all Reference Audit Items

NamePluginAudit Name
AIX7-00-001012 - AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts - lssrc sshdUnixDISA STIG AIX 7.x v2r5
AIX7-00-001012 - AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts - openssh.base.serverUnixDISA STIG AIX 7.x v2r5
AOSX-13-000570 - The macOS system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.UnixDISA STIG Apple Mac OSX 10.13 v2r5
APPL-11-000011 - The macOS system must disable the SSHD service.UnixDISA STIG Apple macOS 11 v1r5
APPL-11-000011 - The macOS system must disable the SSHD service.UnixDISA STIG Apple macOS 11 v1r6
CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - fips enabledCiscoDISA STIG Cisco ASA NDM v1r1
CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh cipherCiscoDISA STIG Cisco ASA NDM v1r1
CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh key-exchangeCiscoDISA STIG Cisco ASA NDM v1r1
CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh versionCiscoDISA STIG Cisco ASA NDM v1r1
Catalina - Enable SSH for Remote Access SessionsUnixNIST macOS Catalina v1.5.0 - All Profiles
CISC-ND-000530 - The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh algorithmCiscoDISA STIG Cisco IOS Router NDM v2r3
CISC-ND-000530 - The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh algorithmCiscoDISA STIG Cisco IOS XE Router NDM v2r3
CISC-ND-000530 - The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh versionCiscoDISA STIG Cisco IOS-XR Router NDM v2r2
CISC-ND-000530 - The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh versionCiscoDISA STIG Cisco IOS Router NDM v2r3
CISC-ND-000530 - The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh versionCiscoDISA STIG Cisco IOS XE Router NDM v2r3
CISC-ND-000530 - The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ip ssh server algorithmCiscoDISA STIG Cisco IOS XE Switch NDM v2r2
CISC-ND-000530 - The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ip ssh server algorithmCiscoDISA STIG Cisco IOS Switch NDM v2r3
CISC-ND-000530 - The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ip ssh version 2CiscoDISA STIG Cisco IOS XE Switch NDM v2r2
CISC-ND-000530 - The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ip ssh version 2CiscoDISA STIG Cisco IOS Switch NDM v2r3
CISC-ND-000530 - The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ip ssh version 2CiscoDISA STIG Cisco NX-OS Switch NDM v2r3
DKER-EE-001070 - FIPS mode must be enabled on all Docker Engine - Enterprise nodes - docker info .SecurityOptionsUnixDISA STIG Docker Enterprise 2.x Linux/Unix v2r1
ESXI-06-200037 - The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by using Active Directory for local user authentication.VMwareDISA STIG VMware vSphere 6.x ESXi v1r5
ESXI-06-200038 - The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by using the vSphere Authentication Proxy.VMwareDISA STIG VMware vSphere 6.x ESXi v1r5
ESXI-06-200039 - The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by restricting use of Active Directory ESX Admin group membership.VMwareDISA STIG VMware vSphere 6.x ESXi v1r5
ESXI-67-000037 - The ESXi host must use Active Directory for local user authentication.VMwareDISA STIG VMware vSphere 6.7 ESXi v1r2
ESXI-67-000038 - ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.VMwareDISA STIG VMware vSphere 6.7 ESXi v1r2
ESXI-67-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.VMwareDISA STIG VMware vSphere 6.7 ESXi v1r2
FGFW-ND-000205 - The FortiGate device must implement replay-resistant authentication mechanisms for network access to privileged accounts. - admin-https-ssl-versions tlsv1-2 tlsv1-3FortiGateDISA Fortigate Firewall NDM STIG v1r1
FGFW-ND-000205 - The FortiGate device must implement replay-resistant authentication mechanisms for network access to privileged accounts. - admin-ssh-v1 disableFortiGateDISA Fortigate Firewall NDM STIG v1r1
FGFW-ND-000205 - The FortiGate device must implement replay-resistant authentication mechanisms for network access to privileged accounts. - ssl-min-proto-version TLSv1-2FortiGateDISA Fortigate Firewall NDM STIG v1r1
GEN005500 - The SSH daemon must be configured to only use the SSHv2 protocol.UnixDISA STIG Solaris 10 SPARC v2r2
GEN005500 - The SSH daemon must be configured to only use the SSHv2 protocol.UnixDISA STIG Solaris 10 X86 v2r2
JUNI-ND-000530 - The Juniper router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh macJuniperDISA STIG Juniper Router NDM v2r1
JUNI-ND-000530 - The Juniper router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh v2JuniperDISA STIG Juniper Router NDM v2r1
PANW-NM-000051 - The Palo Alto Networks security platform must implement replay-resistant authentication mechanisms for network access to privileged accounts.Palo_AltoDISA STIG Palo Alto NDM v2r1
PHTN-67-000068 - The Photon operating system must use OpenSSH for remote maintenance sessions.UnixDISA STIG VMware vSphere 6.7 Photon OS v1r3
RHEL-06-000227 - The SSH daemon must be configured to use only the SSHv2 protocol.UnixDISA Red Hat Enterprise Linux 6 STIG v2r2
SHPT-00-000530 - The Central Administration Web Application must use Kerberos as the authentication provider.WindowsDISA STIG SharePoint 2010 v1r9
SHPT-00-000531 - SharePoint sites must not use NTLM - SharePoint sites must not use NTLM.WindowsDISA STIG SharePoint 2010 v1r9
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - filtersUnixDISA STIG Solaris 11 X86 v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - filtersUnixDISA STIG Solaris 11 SPARC v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - firewall/pflogUnixDISA STIG Solaris 11 SPARC v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - serviceUnixDISA STIG Solaris 11 SPARC v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - serviceUnixDISA STIG Solaris 11 X86 v2r6
SP13-00-000075 - SharePoint must use replay-resistant authentication mechanisms for network access to privileged accounts.WindowsDISA STIG SharePoint 2013 v2r3
SYMP-NM-000230 - Symantec ProxySG must implement HTTPS-console to provide replay-resistant authentication mechanisms for network access to privileged accounts. - HTTP-ConsoleBlueCoatDISA Symantec ProxySG Benchmark NDM v1r2
SYMP-NM-000230 - Symantec ProxySG must implement HTTPS-console to provide replay-resistant authentication mechanisms for network access to privileged accounts. - HTTPS-ConsoleBlueCoatDISA Symantec ProxySG Benchmark NDM v1r2
UBTU-16-030200 - The Ubuntu operating system must enforce SSHv2 for network access to all accounts.UnixDISA STIG Ubuntu 16.04 LTS v2r3
UBTU-18-010412 - The Ubuntu operating system must enforce SSHv2 for network access to all accounts.UnixDISA STIG Ubuntu 18.04 LTS v2r7
WBSP-AS-001080 - The WebSphere Application Server must provide security extensions to extend SOAP protocol and provide secure authenticationWindowsDISA IBM WebSphere Traditional 9 Windows STIG v1r1