CSCv7|4.3

Title

Ensure the Use of Dedicated Administrative Accounts

Description

Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.

Reference Item Details

Category: Controlled Use of Administrative Privileges

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.2 Ensure that the API server pod specification file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.4 Ensure that the controller manager pod specification file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.6 Ensure that the scheduler pod specification file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.8 Ensure that the etcd pod specification file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.10 Ensure that the Container Network Interface file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcdOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.14 Ensure that the kubeconfig file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.16 Ensure that the Scheduler kubeconfig file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.18 Ensure that the Controller Manager kubeconfig file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.1.19 Ensure that the OpenShift PKI directory and file ownership is set to root:rootOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.5 Ensure Exec Timeout for Remote Administrative Sessions (VTY) is setCiscoCIS Cisco NX-OS L1 v1.1.0
1.3.1 Ensure sudo is installedUnixCIS Debian Family Workstation L1 v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Ubuntu Linux 18.04 LXD Host L1 Workstation v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Debian Family Server L1 v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Ubuntu Linux 18.04 LXD Container L1 v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Ubuntu Linux 18.04 LXD Host L1 Server v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Ubuntu Linux 18.04 LXD Host L1 Server v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Debian Family Server L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Ubuntu Linux 18.04 LXD Container L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Debian Family Workstation L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Ubuntu Linux 18.04 LXD Host L1 Workstation v1.0.0
1.4 Ensure no 'root' user account access key existsamazon_awsCIS Amazon Web Services Foundations L1 3.0.0
1.4.1 Set 'password' for 'enable secret'CiscoCIS Cisco IOS XE 17.x v2.1.0 L1
1.4.1 Set 'password' for 'enable secret'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.4.1 Set 'password' for 'enable secret'CiscoCIS Cisco IOS XE 16.x v2.1.0 L1
1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L2 v1.1.0
1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - protocolCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - serverCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.1 Ensure 'aaa authentication enable console' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.3.1 Ensure 'aaa authentication enable console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.1 Ensure 'aaa authentication enable console' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.3.2 Ensure 'aaa authentication http console' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.3.2 Ensure 'aaa authentication http console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.2 Ensure 'aaa authentication http console' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.4 Ensure 'aaa authentication serial console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.4 Ensure 'aaa authentication serial console' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.3.4 Ensure 'aaa authentication ssh console' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.3.5 Ensure 'aaa authentication ssh console' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.3.5 Ensure 'aaa authentication ssh console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.3.6 Ensure 'aaa authentication telnet console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.4.1 Ensure 'aaa command authorization' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.12 Ensure that no users have ACCOUNTADMIN or SECURITYADMIN as the default roleSnowflakeCIS Snowflake Foundations v1.0.0 L1
1.13 Ensure that the ACCOUNTADMIN or SECURITYADMIN role is not granted to any custom roleSnowflakeCIS Snowflake Foundations v1.0.0 L1
1.14 Ensure that Snowflake tasks are not owned by the ACCOUNTADMIN or SECURITYADMIN rolesSnowflakeCIS Snowflake Foundations v1.0.0 L1
1.15 Ensure that Snowflake tasks do not run with the ACCOUNTADMIN or SECURITYADMIN role privilegesSnowflakeCIS Snowflake Foundations v1.0.0 L1
1.16 Ensure that Snowflake stored procedures are not owned by the ACCOUNTADMIN or SECURITYADMIN rolesSnowflakeCIS Snowflake Foundations v1.0.0 L1
1.17 Ensure Snowflake stored procedures do not run with ACCOUNTADMIN or SECURITYADMIN role privilegesSnowflakeCIS Snowflake Foundations v1.0.0 L1