Detections
Analytics

800-53|AC-18

Title

WIRELESS ACCESS

Description

The organization:

Supplemental

Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., EAP/TLS, PEAP), which provide credential protection and mutual authentication.

Reference Item Details

Related: AC-17,AC-19,AC-2,AC-3,CA-3,CA-7,CM-8,IA-2,IA-3,IA-8,PL-4,SI-4

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2 Ensure intra-zone traffic is not always allowedFortiGateCIS Fortigate 7.0.x v1.3.0 L1
1.2.1 Ensure 'Domain Name' is setCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device managementPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.2.2 Ensure 'Host Name' is setCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPSPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMPPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSHPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.2.3 Ensure 'Failover' is enabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.2.3 Ensure HTTP and Telnet options are disabled for the management interfacePalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.2.4 Ensure 'Unused Interfaces' is disableCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - HTTPPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.2.4 Ensure HTTP and Telnet options are disabled for all management profiles - TelnetPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Authentication ProfilePalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.2.5 Ensure valid certificate is set for browser-based administrator interface - Certificate ProfilesPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.2.5 Ensure valid certificate is set for browser-based administrator interface - CertificatesPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L2
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabledOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.3 Disable all management related services on WAN portFortiGateCIS Fortigate 7.0.x v1.3.0 L1
1.3.1 Pre-authentication BannerCiscoCIS Cisco NX-OS L1 v1.1.0
1.3.2 Ensure 'Image Authenticity' is correctCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.3.2 Post-authentication BannerCiscoCIS Cisco NX-OS L1 v1.1.0
1.3.5 Ensure that the --bind-address argument is set to 127.0.0.1OpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.10.0 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Failed AttemptsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.4.2 Ensure 'Failed Attempts' and 'Lockout Time' for Authentication Profile are properly configured - Lockout TimePalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.10.0 L1 Master
1.4.2.1 Ensure 'TACACS+/RADIUS' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L2 v1.1.0
1.4.3.1 Ensure 'aaa authentication enable console' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.3.2 Ensure 'aaa authentication http console' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.3.3 Ensure 'aaa authentication secure-http-client' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.3.4 Ensure 'aaa authentication ssh console' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.4.1 Ensure 'aaa command authorization' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.4.2 Ensure 'aaa authorization exec' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.5.1 Ensure 'aaa accounting command' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.4.5.3 Ensure 'aaa accounting for EXEC mode' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.7 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.8 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 15 L2 v4.1.1
1.7.1 Enabling Post-Quantum (PQ) on IKEv2 VPNsPalo_AltoCIS Palo Alto Firewall 11 v1.1.0 L2
1.7.1 Enabling Post-Quantum (PQ) on IKEv2 VPNsPalo_AltoCIS Palo Alto Firewall 10 v1.2.0 L2
1.7.1 Pre-authentication BannerCiscoCIS Cisco IOS XR 7.x v1.0.0 L1