CSCv7|4.3

Title

Ensure the Use of Dedicated Administrative Accounts

Description

Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.

Reference Item Details

Category: Controlled Use of Administrative Privileges

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2 Ensure that the API server pod specification file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.1.8 Ensure that the etcd pod specification file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.1.10 Ensure that the Container Network Interface file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcdOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.1.14 Ensure that the admin.conf file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.1.16 Ensure that the scheduler.conf file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.1.18 Ensure that the controller-manager.conf file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.1.19 Ensure that the OpenShift PKI directory and file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform 4 v1.2.0 L1
1.3.1 Ensure sudo is installedUnixCIS Ubuntu Linux 18.04 LXD Host L1 Server v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Debian Family Workstation L1 v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Debian 10 Server L1 v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Ubuntu Linux 18.04 LXD Container L1 v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Debian Family Server L1 v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Ubuntu Linux 18.04 LXD Host L1 Workstation v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Debian 10 Workstation L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Ubuntu Linux 18.04 LXD Container L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Ubuntu Linux 18.04 LXD Host L1 Server v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Debian Family Workstation L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Debian Family Server L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Ubuntu Linux 18.04 LXD Host L1 Workstation v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Debian 10 Server L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Debian 10 Workstation L1 v1.0.0
1.4 Ensure no 'root' user account access key exists - 'Access Key 1'amazon_awsCIS Amazon Web Services Foundations L1 1.5.0
1.4 Ensure no 'root' user account access key exists - 'Access Key 2'amazon_awsCIS Amazon Web Services Foundations L1 1.5.0
1.4.1 Set 'password' for 'enable secret'CiscoCIS Cisco IOS 17 L1 v1.0.0
1.4.1 Set 'password' for 'enable secret'CiscoCIS Cisco IOS 16 L1 v1.1.2
1.4.1 Set 'password' for 'enable secret'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - protocolCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - serverCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.1 Ensure 'aaa authentication enable console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.1 Ensure 'aaa authentication enable console' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.0.0
1.4.3.1 Ensure 'aaa authentication enable console' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.3.2 Ensure 'aaa authentication http console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.2 Ensure 'aaa authentication http console' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.3.2 Ensure 'aaa authentication http console' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.0.0
1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.0.0
1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.4 Ensure 'aaa authentication serial console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.4 Ensure 'aaa authentication serial console' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.0.0
1.4.3.4 Ensure 'aaa authentication serial console' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.3.5 Ensure 'aaa authentication ssh console' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.0.0
1.4.3.5 Ensure 'aaa authentication ssh console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.5 Ensure 'aaa authentication ssh console' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.3.6 Ensure 'aaa authentication telnet console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.4.1 Ensure 'aaa command authorization' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'microsoft_azureCIS Microsoft Azure Foundations v1.5.0 L1
1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'microsoft_azureCIS Microsoft Azure Foundations v1.5.0 L2