CSCv6|16.14

Title

Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges.

Description

Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.

Reference Item Details

Category: Account Monitoring and Control

Family: Application

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1 Ensure 'Logon Password' is setCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.1.1 Ensure 'Logon Password' is setCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.1.1.7 Set 'Store passwords using reversible encryption' to 'Disabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.2 Ensure 'Enable Password' is setCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.1.2 Ensure 'Enable Password' is setCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.1.2 Ensure that the --basic-auth-file argument is not setUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.2 Ensure that the --basic-auth-file argument is not setUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.2 Ensure that the --basic-auth-file argument is not setUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.3 Ensure that the --basic-auth-file argument is not setUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.3.10.11 Configure 'Network access: Do not allow storage of passwords and credentials for network authentication'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.11.1 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.11.15 Set 'Network Security: Configure encryption types allowed for Kerberos' to 'RC4\AES128\AES256\Future types'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.14.1 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'WindowsCIS Windows 8 L1 v1.0.0
1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
1.1.6 Ensure 'Store passwords using reversible encryption' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
1.1.19 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.20 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.20 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.21 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.2.4.5.4 Set 'Always prompt for password upon connection' to 'Enabled'WindowsCIS Windows 8 L1 v1.0.0
2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
2.3.10.4 Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
2.3.11.5 Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higherWindowsCIS Microsoft Windows 8.1 v2.4.1 L2
2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higherWindowsCIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higherWindowsCIS Windows 7 Workstation Level 2 v3.2.0
2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higherWindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
2.6 Ensure transport layer security for 'basic authentication' is configuredWindowsCIS IIS 7 L1 v1.8.0
2.7 Ensure 'passwordFormat' is not set to clear - ApplicationsWindowsCIS IIS 7 L1 v1.8.0
2.7 Ensure 'passwordFormat' is not set to clear - DefaultWindowsCIS IIS 7 L1 v1.8.0
2.8 Ensure 'credentials' are not stored in configuration files - ApplicationsWindowsCIS IIS 7 L2 v1.8.0
2.8 Ensure 'credentials' are not stored in configuration files - DefaultWindowsCIS IIS 7 L2 v1.8.0
3.1.2 Ensure that the --basic-auth-file argument is not setUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
3.1.2 Ensure that the --basic-auth-file argument is not setUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
3.1.15 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
3.1.15 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
4.5 Ensure 'SYS.USER$MIG' Has Been DroppedOracleDBCIS Oracle Server 12c DB Traditional Auditing v3.0.0
4.5 Ensure 'SYS.USER$MIG' Has Been DroppedOracleDBCIS Oracle Server 12c DB Unified Auditing v3.0.0
18.3.6 (L1) Ensure 'WDigest Authentication' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.3.7 Ensure 'WDigest Authentication' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.3.7 Ensure 'WDigest Authentication' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Disabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.59.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.9.59.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.9.59.3.9.1 Ensure 'Always prompt for password upon connection' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0