800-53|AC-17(2)

Title

PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION

Description

The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

Supplemental

The encryption strength of mechanism is selected based on the security categorization of the information.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-12,SC-13,SC-8

Category: ACCESS CONTROL

Parent Title: REMOTE ACCESS

Family: ACCESS CONTROL

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH	Palo_Alto	CIS Palo Alto Firewall 7 Benchmark L1 v1.0.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH	Palo_Alto	CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0
1.2.3 Ensure that the --kubelet-https argument is set to true	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.4 Use https for kubelet connections	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.4.5.3 Set 'Encryption Level' to 'Enabled:High Level'	Windows	CIS Windows 8 L1 v1.0.0
1.2.4.6.5 Set 'Allow unencrypted traffic' to 'Disabled'	Windows	CIS Windows 8 L1 v1.0.0
1.2.5 Ensure valid certificate is set for browser-based administrator interface	Palo_Alto	CIS Palo Alto Firewall 11 v1.1.0 L2
1.2.5 Ensure valid certificate is set for browser-based administrator interface	Palo_Alto	CIS Palo Alto Firewall 10 v1.2.0 L2
1.2.16 Ensure that the --secure-port argument is not set to 0	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.16 Ensure that the --secure-port argument is not set to 0	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.18 Ensure that the --secure-port argument is not set to 0	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.19 Ensure that the --secure-port argument is not set to 0	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.24 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate	Unix	CIS Kubernetes v1.10.0 L1 Master
1.2.25 Ensure that the --client-ca-file argument is set as appropriate	Unix	CIS Kubernetes v1.10.0 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - cert	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - cert	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - key	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.26 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - key	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.27 Ensure that the --client-ca-file argument is set as appropriate	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.27 Ensure that the --client-ca-file argument is set as appropriate	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.29 Ensure that the --client-ca-file argument is set as appropriate	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - cert	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - key	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.30 Ensure that the --client-ca-file argument is set as appropriate	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.30 Ensure that the --etcd-cafile argument is set as appropriate	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.3.5 Ensure that the --root-ca-file argument is set as appropriate	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.3.5 Ensure that the --root-ca-file argument is set as appropriate	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.5 Ensure that the --root-ca-file argument is set as appropriate	Unix	CIS Kubernetes v1.10.0 L1 Master
1.3.5 Ensure that the --root-ca-file argument is set as appropriate	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L2 Master
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L2 Master
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true	Unix	CIS Kubernetes v1.10.0 L1 Master
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L2 Master
1.5.1 Ensure 'V3' is selected for SNMP polling	Palo_Alto	CIS Palo Alto Firewall 11 v1.1.0 L1
1.5.1 Ensure 'V3' is selected for SNMP polling	Palo_Alto	CIS Palo Alto Firewall 9 v1.1.0 L1
1.5.1 Ensure 'V3' is selected for SNMP polling	Palo_Alto	CIS Palo Alto Firewall 10 v1.2.0 L1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3	Cisco	CIS Cisco IOS XE 16.x v2.1.0 L2
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3	Cisco	CIS Cisco IOS XE 17.x v2.1.0 L2
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS CentOS Linux 8 Server L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS Fedora 28 Family Linux Server L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS CentOS Linux 8 Workstation L1 v2.0.0
1.10 Ensure system-wide crypto policy is not legacy	Unix	CIS Fedora 28 Family Linux Workstation L1 v2.0.0
1.10.1 (L1) Ensure 'Allow Basic authentication for HTTP' is set to 'Disabled'	Windows	CIS Microsoft Edge v3.0.0 L1
1.10.3 (L2) Ensure 'Supported authentication schemes' is set to 'Enabled: ntlm, negotiate'	Windows	CIS Microsoft Edge v3.0.0 L2
1.12 Ensure 'Internet-facing receive connectors' is set to 'Tls, BasicAuth, BasicAuthRequireTLS'	Windows	CIS Microsoft Exchange Server 2019 L1 Edge v1.0.0

Detections

Analytics