800-53|IA-2(11)

Title

REMOTE ACCESS - SEPARATE DEVICE

Description

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

Supplemental

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

Reference Item Details

Related: AC-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.8.8 Ensure users must authenticate users using MFA via a graphical user logonUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installed - escUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.10 Ensure required packages for multifactor authentication are installed - pam_pkcs11UnixCIS Amazon Linux 2 STIG v1.0.0 L3
4.4.1.1 Ensure latest version of pam is installedUnixCIS AlmaLinux OS 8 Server L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Rocky Linux 8 Workstation L1 v2.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS CentOS Linux 7 v4.0.0 L1 Workstation
4.4.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 8 Server L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Red Hat EL8 Workstation L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Server
4.4.1.1 Ensure latest version of pam is installedUnixCIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation
4.4.1.1 Ensure latest version of pam is installedUnixCIS Red Hat EL8 Server L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 7 v4.0.0 L1 Workstation
4.4.1.1 Ensure latest version of pam is installedUnixCIS Rocky Linux 8 Server L1 v2.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 8 Workstation L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS CentOS Linux 7 v4.0.0 L1 Server
4.4.1.1 Ensure latest version of pam is installedUnixCIS Amazon Linux 2 v3.0.0 L1
4.4.1.1 Ensure latest version of pam is installedUnixCIS AlmaLinux OS 8 Workstation L1 v3.0.0
4.4.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 7 v4.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installedUnixCIS AlmaLinux OS 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installedUnixCIS AlmaLinux OS 9 v2.0.0 L1 Workstation
5.3.1.1 Ensure latest version of pam is installedUnixCIS Rocky Linux 9 v2.0.0 L1 Workstation
5.3.1.1 Ensure latest version of pam is installedUnixCIS Red Hat Enterprise Linux 9 v2.0.0 L1 Workstation
5.3.1.1 Ensure latest version of pam is installedUnixCIS Rocky Linux 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installedUnixCIS Red Hat Enterprise Linux 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 9 v2.0.0 L1 Server
5.3.1.1 Ensure latest version of pam is installedUnixCIS Oracle Linux 9 v2.0.0 L1 Workstation
5.4.9 Ensure multifactor authentication for access to privileged accounts - PAM.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.10 Ensure certificate status checking for PKI authenticationUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
AIX7-00-003200 - The AIX operating system must use Multi Factor Authentication.UnixDISA STIG AIX 7.x v3r1
AOSX-14-003025 - The macOS system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.UnixDISA STIG Apple Mac OSX 10.14 v2r6
APPL-14-001150 - The macOS system must disable password authentication for SSH.UnixDISA Apple macOS 14 (Sonoma) STIG v2r2
APPL-14-003020 - The macOS system must enforce smart card authentication.UnixDISA Apple macOS 14 (Sonoma) STIG v2r2
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 Low
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-171
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
OL07-00-010061 - The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.UnixDISA Oracle Linux 7 STIG v3r1
OL07-00-041001 - The Oracle Linux operating system must have the required packages for multifactor authentication installed.UnixDISA Oracle Linux 7 STIG v3r1
OL07-00-041002 - The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM) - PAM.UnixDISA Oracle Linux 7 STIG v3r1
OL07-00-041003 - The Oracle Linux operating system must implement certificate status checking for PKI authentication.UnixDISA Oracle Linux 7 STIG v3r1
OL08-00-010390 - OL 8 must have the package required for multifactor authentication installed.UnixDISA Oracle Linux 8 STIG v2r2
OL08-00-010400 - OL 8 must implement certificate status checking for multifactor authentication.UnixDISA Oracle Linux 8 STIG v2r2
RHEL-07-010061 - The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.UnixDISA Red Hat Enterprise Linux 7 STIG v3r15
RHEL-07-041001 - The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.UnixDISA Red Hat Enterprise Linux 7 STIG v3r15