CSCv7|16.7

Title

Establish Process for Revoking Access

Description

Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor . Disabling these accounts, instead of deleting accounts, allows preservation of audit trails.

Reference Item Details

Category: Account Monitoring and Control

Audit Items

View all Reference Audit Items

NamePluginAudit Name
2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or LessOracleDBCIS Oracle Server 19c DB Traditional Auditing v1.2.0
2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or LessOracleDBCIS Oracle Server 19c DB Unified Auditing v1.2.0
2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or LessOracleDBCIS Oracle Server 18c DB Traditional Auditing v1.1.0
2.2.10 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or LessOracleDBCIS Oracle Server 18c DB Unified Auditing v1.1.0
2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or LessOracleDBCIS Oracle Server 12c DB Traditional Auditing v3.0.0
2.2.12 Ensure 'SEC_MAX_FAILED_LOGIN_ATTEMPTS' Is '3' or LessOracleDBCIS Oracle Server 12c DB Unified Auditing v3.0.0
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'OracleDBCIS Oracle Server 18c DB Unified Auditing v1.1.0
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'OracleDBCIS Oracle Server 19c DB Traditional Auditing v1.2.0
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'OracleDBCIS Oracle Server 19c DB Unified Auditing v1.2.0
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'OracleDBCIS Oracle Server 18c DB Traditional Auditing v1.1.0
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'OracleDBCIS Oracle Server 12c DB Unified Auditing v3.0.0
3.1 Ensure 'FAILED_LOGIN_ATTEMPTS' Is Less than or Equal to '5'OracleDBCIS Oracle Server 12c DB Traditional Auditing v3.0.0
3.1.1 Client certificate authentication should not be used for usersUnixCIS Kubernetes v1.10.0 L1 Master
3.1.1 Client certificate authentication should not be used for usersUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
3.1.1 Client certificate authentication should not be used for usersUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
3.1.1 Client certificate authentication should not be used for usersUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
3.1.2 Service account token authentication should not be used for usersUnixCIS Kubernetes v1.10.0 L1 Master
3.1.3 Bootstrap token authentication should not be used for usersUnixCIS Kubernetes v1.10.0 L1 Master
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'OracleDBCIS Oracle Server 19c DB Traditional Auditing v1.2.0
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'OracleDBCIS Oracle Server 19c DB Unified Auditing v1.2.0
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'OracleDBCIS Oracle Server 12c DB Traditional Auditing v3.0.0
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'OracleDBCIS Oracle Server 12c DB Unified Auditing v3.0.0
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'OracleDBCIS Oracle Server 18c DB Traditional Auditing v1.1.0
3.2 Ensure 'PASSWORD_LOCK_TIME' Is Greater than or Equal to '1'OracleDBCIS Oracle Server 18c DB Unified Auditing v1.1.0
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'OracleDBCIS Oracle Server 18c DB Traditional Auditing v1.1.0
3.3 Ensure 'PASSWORD_LIFE_TIME' Is Less than or Equal to '90'OracleDBCIS Oracle Server 18c DB Unified Auditing v1.1.0
3.3.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaultsmicrosoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
3.3.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults.microsoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
3.3.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaultsmicrosoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
3.3.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaultsmicrosoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
3.3.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Servicesmicrosoft_azureCIS Microsoft Azure Foundations v3.0.0 L2
3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'OracleDBCIS Oracle Server 12c DB Traditional Auditing v3.0.0
3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'OracleDBCIS Oracle Server 12c DB Unified Auditing v3.0.0
3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'OracleDBCIS Oracle Server 18c DB Unified Auditing v1.1.0
3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'OracleDBCIS Oracle Server 18c DB Traditional Auditing v1.1.0
3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'OracleDBCIS Oracle Server 19c DB Traditional Auditing v1.2.0
3.8 Ensure 'SESSIONS_PER_USER' Is Less than or Equal to '10'OracleDBCIS Oracle Server 19c DB Unified Auditing v1.2.0
3.12 (L1) Host must lock an account after a specified number of failed login attemptsVMwareCIS VMware ESXi 8.0 v1.1.0 L1
4.3 (L1) Ensure the maximum failed login attempts is set to 5VMwareCIS VMware ESXi 7.0 v1.4.0 L1
4.3 Ensure the maximum failed login attempts is set to 5VMwareCIS VMware ESXi 6.7 v1.3.0 Level 1
4.4 Ensure that Storage Account Access Keys are Periodically Regeneratedmicrosoft_azureCIS Microsoft Azure Foundations v3.0.0 L1
4.4.1 Ensure custom authselect profile is usedUnixCIS Amazon Linux 2023 Server L1 v1.0.0
4.4.2 Ensure authselect includes with-faillockUnixCIS Amazon Linux 2023 Server L1 v1.0.0
4.4.2 Ensure lockout for failed password attempts is configuredUnixCIS Ubuntu Linux 20.04 LTS Workstation L1 v2.0.1
4.4.2 Ensure lockout for failed password attempts is configuredUnixCIS Debian 10 Workstation L1 v2.0.0
4.4.2 Ensure lockout for failed password attempts is configuredUnixCIS Ubuntu Linux 20.04 LTS Server L1 v2.0.1
4.4.2 Ensure lockout for failed password attempts is configuredUnixCIS Debian 10 Server L1 v2.0.0
4.4.2 Ensure lockout for failed password attempts is configuredUnixCIS Ubuntu Linux 18.04 LTS v2.2.0 L1 Server
4.4.2 Ensure lockout for failed password attempts is configuredUnixCIS Ubuntu Linux 18.04 LTS v2.2.0 L1 Workstation
4.4.2.1 Ensure active authselect profile includes pam modulesUnixCIS Oracle Linux 8 Workstation L1 v3.0.0