| 1.1.1 Enable 'aaa new-model' | CIS Cisco IOS 12 L1 v4.0.0 | Cisco | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| 1.1.3.10.2 Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled' | CIS Windows 8 L1 v1.0.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTP | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - Telnet | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctly - protocol | CIS Cisco Firewall ASA 9 L1 v4.1.0 | Cisco | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| 1.8.8 Ensure users must authenticate users using MFA via a graphical user logon | CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG | Unix | IDENTIFICATION AND AUTHENTICATION |
| 2.3.2 Ensure rsh client is not installed - rsh-client | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 2.3.2 Ensure rsh client is not installed - rsh-client | CIS Debian 9 Server L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 2.3.2 Ensure rsh client is not installed - rsh-redone-client | CIS Debian 9 Server L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 2.3.2 Ensure rsh client is not installed - rsh-redone-client | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 2.3.4 Ensure telnet client is not installed | CIS Debian 9 Server L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 2.3.4 Ensure telnet client is not installed | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 2.3.10.1 Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' | CIS Windows 7 Workstation Level 1 v3.2.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.3.10.1 Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' | CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 3.1 Ensure a secondary SharePoint site collection administrator has been defined on each site collection. | CIS Microsoft SharePoint 2016 OS v1.1.0 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.3 Forbid Dial in Access | CIS Juniper OS Benchmark v2.1.0 L2 | Juniper | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| 5.4.9 Ensure multifactor authentication for access to privileged accounts - PAM. | CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.4.10 Ensure certificate status checking for PKI authentication | CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.3.2 Ensure Local Accounts can ONLY be used during loss of external AAA | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 6.6 Ensure ALL Events are Audited - audit_log_filter | CIS MySQL 5.7 Enterprise Database L2 v2.0.0 | MySQLDB | AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| 6.6 Ensure ALL Events are Audited - audit_log_user | CIS MySQL 5.7 Enterprise Database L2 v2.0.0 | MySQLDB | AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| 6.8.1 Ensure External AAA Server is set | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | IDENTIFICATION AND AUTHENTICATION |
| 6.8.5 Ensure Source-Address is set for External AAA Servers | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | IDENTIFICATION AND AUTHENTICATION |
| 6.10.6 Ensure Telnet is Not Set | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| 6.10.7 Ensure Reverse Telnet is Not Set | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| 9.2.4 Verify No Legacy '+' Entries Exist in /etc/group File - + Entries Exist in /etc/group File | CIS Red Hat Enterprise Linux 5 L1 v2.2.1 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 18.2.1 Ensure LAPS AdmPwd GPO Extension / CSE is installed | CIS Microsoft Windows 8.1 v2.4.1 L1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| 18.9.59.3.9.3 Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' | CIS Microsoft Windows 8.1 v2.4.1 L1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| Always prompt for password upon connection | MSCT Windows 10 v1507 v1.0.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| Always prompt for password upon connection | MSCT Windows Server v20H2 MS v1.0.0 | Windows | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| AOSX-15-003020 - The macOS system must use multifactor authentication for local and network access to privileged and non-privileged accounts, the establishment of nonlocal maintenance and diagnostic sessions, and authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access - ChallengeResponseAuthentication | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | IDENTIFICATION AND AUTHENTICATION, MAINTENANCE |
| AOSX-15-003020 - The macOS system must use multifactor authentication for local and network access to privileged and non-privileged accounts, the establishment of nonlocal maintenance and diagnostic sessions, and authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access - enforceSmartCard | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | IDENTIFICATION AND AUTHENTICATION, MAINTENANCE |
| AOSX-15-003020 - The macOS system must use multifactor authentication for local and network access to privileged and non-privileged accounts, the establishment of nonlocal maintenance and diagnostic sessions, and authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access - PasswordAuthentication | DISA STIG Apple Mac OSX 10.15 v1r10 | Unix | IDENTIFICATION AND AUTHENTICATION, MAINTENANCE |
| APPL-15-003020 - The macOS system must enforce smart card authentication. | DISA Apple macOS 15 (Sequoia) STIG v1r1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| Big Sur - Enforce multifactor authentication for network access to non-privileged accounts | NIST macOS Big Sur v1.4.0 - All Profiles | Unix | IDENTIFICATION AND AUTHENTICATION |
| Big Sur - Enforce multifactor authentication for network access to privileged accounts | NIST macOS Big Sur v1.4.0 - All Profiles | Unix | IDENTIFICATION AND AUTHENTICATION |
| Catalina - Enforce multifactor authentication for network access to non-privileged accounts | NIST macOS Catalina v1.5.0 - All Profiles | Unix | IDENTIFICATION AND AUTHENTICATION |
| Catalina - Enforce multifactor authentication for network access to privileged accounts | NIST macOS Catalina v1.5.0 - All Profiles | Unix | IDENTIFICATION AND AUTHENTICATION |
| DKER-EE-002180 - SAML integration must be enabled in Docker Enterprise. | DISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r2 | Unix | IDENTIFICATION AND AUTHENTICATION |
| Ensure 'TACACS+/RADIUS' is configured correctly - protocol | Tenable Cisco Firepower Best Practices Audit | Cisco | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| Monterey - Disable Root Login for SSH | NIST macOS Monterey v1.0.0 - All Profiles | Unix | IDENTIFICATION AND AUTHENTICATION |
| Monterey - Enforce multifactor authentication for network access to non-privileged accounts | NIST macOS Monterey v1.0.0 - All Profiles | Unix | IDENTIFICATION AND AUTHENTICATION |
| Monterey - Enforce multifactor authentication for network access to privileged accounts | NIST macOS Monterey v1.0.0 - All Profiles | Unix | IDENTIFICATION AND AUTHENTICATION |
| RHEL-09-215075 - RHEL 9 must have the openssl-pkcs11 package installed. | DISA Red Hat Enterprise Linux 9 STIG v2r2 | Unix | IDENTIFICATION AND AUTHENTICATION |
| WN22-DC-000030 - Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | DISA Windows Server 2022 STIG v2r2 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN22-DC-000040 - Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less. | DISA Windows Server 2022 STIG v2r2 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN22-DC-000050 - Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less. | DISA Windows Server 2022 STIG v2r2 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WN22-DC-000060 - Windows Server 2022 computer clock synchronization tolerance must be limited to five minutes or less. | DISA Windows Server 2022 STIG v2r2 | Windows | IDENTIFICATION AND AUTHENTICATION |
