Theme

CCI|CCI-001941

Title

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.

Reference Item Details

Reference: CCI - DISA Control Correlation Identifier

Category: 2013

Audit Items

Name	Plugin	Audit Name
AIX7-00-001012 - AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts - lssrc sshd	Unix	DISA STIG AIX 7.x v2r5
AIX7-00-001012 - AIX must use the SSH server to implement replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts - openssh.base.server	Unix	DISA STIG AIX 7.x v2r5
AOSX-13-000570 - The macOS system must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
APPL-11-000011 - The macOS system must disable the SSHD service.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-11-000011 - The macOS system must disable the SSHD service.	Unix	DISA STIG Apple macOS 11 v1r6
CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - fips enabled	Cisco	DISA STIG Cisco ASA NDM v1r1
CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh cipher	Cisco	DISA STIG Cisco ASA NDM v1r1
CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh key-exchange	Cisco	DISA STIG Cisco ASA NDM v1r1
CASA-ND-000470 - The Cisco ASA must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh version	Cisco	DISA STIG Cisco ASA NDM v1r1
Catalina - Enable SSH for Remote Access Sessions	Unix	NIST macOS Catalina v1.5.0 - All Profiles
CISC-ND-000530 - The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh algorithm	Cisco	DISA STIG Cisco IOS Router NDM v2r3
CISC-ND-000530 - The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh algorithm	Cisco	DISA STIG Cisco IOS XE Router NDM v2r3
CISC-ND-000530 - The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh version	Cisco	DISA STIG Cisco IOS-XR Router NDM v2r2
CISC-ND-000530 - The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh version	Cisco	DISA STIG Cisco IOS Router NDM v2r3
CISC-ND-000530 - The Cisco router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh version	Cisco	DISA STIG Cisco IOS XE Router NDM v2r3
CISC-ND-000530 - The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ip ssh server algorithm	Cisco	DISA STIG Cisco IOS XE Switch NDM v2r2
CISC-ND-000530 - The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ip ssh server algorithm	Cisco	DISA STIG Cisco IOS Switch NDM v2r3
CISC-ND-000530 - The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ip ssh version 2	Cisco	DISA STIG Cisco IOS XE Switch NDM v2r2
CISC-ND-000530 - The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ip ssh version 2	Cisco	DISA STIG Cisco IOS Switch NDM v2r3
CISC-ND-000530 - The Cisco switch must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ip ssh version 2	Cisco	DISA STIG Cisco NX-OS Switch NDM v2r3
DKER-EE-001070 - FIPS mode must be enabled on all Docker Engine - Enterprise nodes - docker info .SecurityOptions	Unix	DISA STIG Docker Enterprise 2.x Linux/Unix v2r1
ESXI-06-200037 - The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by using Active Directory for local user authentication.	VMware	DISA STIG VMware vSphere 6.x ESXi v1r5
ESXI-06-200038 - The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by using the vSphere Authentication Proxy.	VMware	DISA STIG VMware vSphere 6.x ESXi v1r5
ESXI-06-200039 - The VMM must implement replay-resistant authentication mechanisms for network access to privileged accounts by restricting use of Active Directory ESX Admin group membership.	VMware	DISA STIG VMware vSphere 6.x ESXi v1r5
ESXI-67-000037 - The ESXi host must use Active Directory for local user authentication.	VMware	DISA STIG VMware vSphere 6.7 ESXi v1r2
ESXI-67-000038 - ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory.	VMware	DISA STIG VMware vSphere 6.7 ESXi v1r2
ESXI-67-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory.	VMware	DISA STIG VMware vSphere 6.7 ESXi v1r2
FGFW-ND-000205 - The FortiGate device must implement replay-resistant authentication mechanisms for network access to privileged accounts. - admin-https-ssl-versions tlsv1-2 tlsv1-3	FortiGate	DISA Fortigate Firewall NDM STIG v1r1
FGFW-ND-000205 - The FortiGate device must implement replay-resistant authentication mechanisms for network access to privileged accounts. - admin-ssh-v1 disable	FortiGate	DISA Fortigate Firewall NDM STIG v1r1
FGFW-ND-000205 - The FortiGate device must implement replay-resistant authentication mechanisms for network access to privileged accounts. - ssl-min-proto-version TLSv1-2	FortiGate	DISA Fortigate Firewall NDM STIG v1r1
GEN005500 - The SSH daemon must be configured to only use the SSHv2 protocol.	Unix	DISA STIG Solaris 10 SPARC v2r2
GEN005500 - The SSH daemon must be configured to only use the SSHv2 protocol.	Unix	DISA STIG Solaris 10 X86 v2r2
JUNI-ND-000530 - The Juniper router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh mac	Juniper	DISA STIG Juniper Router NDM v2r1
JUNI-ND-000530 - The Juniper router must be configured to implement replay-resistant authentication mechanisms for network access to privileged accounts - ssh v2	Juniper	DISA STIG Juniper Router NDM v2r1
PANW-NM-000051 - The Palo Alto Networks security platform must implement replay-resistant authentication mechanisms for network access to privileged accounts.	Palo_Alto	DISA STIG Palo Alto NDM v2r1
PHTN-67-000068 - The Photon operating system must use OpenSSH for remote maintenance sessions.	Unix	DISA STIG VMware vSphere 6.7 Photon OS v1r3
RHEL-06-000227 - The SSH daemon must be configured to use only the SSHv2 protocol.	Unix	DISA Red Hat Enterprise Linux 6 STIG v2r2
SHPT-00-000530 - The Central Administration Web Application must use Kerberos as the authentication provider.	Windows	DISA STIG SharePoint 2010 v1r9
SHPT-00-000531 - SharePoint sites must not use NTLM - SharePoint sites must not use NTLM.	Windows	DISA STIG SharePoint 2010 v1r9
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - filters	Unix	DISA STIG Solaris 11 X86 v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - filters	Unix	DISA STIG Solaris 11 SPARC v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - firewall/pflog	Unix	DISA STIG Solaris 11 SPARC v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - service	Unix	DISA STIG Solaris 11 SPARC v2r6
SOL-11.1-050240 - The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception) - service	Unix	DISA STIG Solaris 11 X86 v2r6
SP13-00-000075 - SharePoint must use replay-resistant authentication mechanisms for network access to privileged accounts.	Windows	DISA STIG SharePoint 2013 v2r3
SYMP-NM-000230 - Symantec ProxySG must implement HTTPS-console to provide replay-resistant authentication mechanisms for network access to privileged accounts. - HTTP-Console	BlueCoat	DISA Symantec ProxySG Benchmark NDM v1r2
SYMP-NM-000230 - Symantec ProxySG must implement HTTPS-console to provide replay-resistant authentication mechanisms for network access to privileged accounts. - HTTPS-Console	BlueCoat	DISA Symantec ProxySG Benchmark NDM v1r2
UBTU-16-030200 - The Ubuntu operating system must enforce SSHv2 for network access to all accounts.	Unix	DISA STIG Ubuntu 16.04 LTS v2r3
UBTU-18-010412 - The Ubuntu operating system must enforce SSHv2 for network access to all accounts.	Unix	DISA STIG Ubuntu 18.04 LTS v2r7
WBSP-AS-001080 - The WebSphere Application Server must provide security extensions to extend SOAP protocol and provide secure authentication	Windows	DISA IBM WebSphere Traditional 9 Windows STIG v1r1