800-53|MA-4

Title

NONLOCAL MAINTENANCE

Description

The organization:

Supplemental

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

Reference Item Details

Related: AC-17,AC-2,AC-3,AC-6,AU-2,AU-3,IA-2,IA-4,IA-5,IA-8,MA-2,MA-5,MP-6,PL-2,SC-10,SC-17,SC-7

Category: MAINTENANCE

Family: MAINTENANCE

Priority: P2

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.1 Restrict Access to VTY SessionsCiscoCIS Cisco NX-OS L1 v1.1.0
1.2.2 Ensure that the --basic-auth-file argument is not setOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.2 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.2.2 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.2 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.2 Ensure that the --token-auth-file parameter is not setUnixCIS Kubernetes v1.10.0 L1 Master
1.2.3 Ensure that the --DenyServiceExternalIPs is not setUnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.2.3 Ensure that the --DenyServiceExternalIPs is not setUnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.2.3 Ensure that the --token-auth-file parameter is not setOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.3 Ensure that the DenyServiceExternalIPs is setUnixCIS Kubernetes v1.10.0 L1 Master
1.2.3 Limit SSH Login AttemptsCiscoCIS Cisco NX-OS L1 v1.1.0
1.2.4 Ensure Exec Timeout for Console Sessions is setCiscoCIS Cisco NX-OS L1 v1.1.0
1.2.5 Ensure Exec Timeout for Remote Administrative Sessions (VTY) is setCiscoCIS Cisco NX-OS L1 v1.1.0
1.2.6 Set the Maximum Number of VTY SessionsCiscoCIS Cisco NX-OS L1 v1.1.0
1.2.7 Disable the Telnet FeatureCiscoCIS Cisco NX-OS L1 v1.1.0
1.3 (L1) Host hardware must enable Intel TXT, if availableVMwareCIS VMware ESXi 8.0 v1.1.0 L1
1.4 (L1) Host hardware must enable and configure a TPM 2.0VMwareCIS VMware ESXi 8.0 v1.1.0 L1
1.5 (L1) Host integrated hardware management controller must be secureVMwareCIS VMware ESXi 8.0 v1.1.0 L1
1.5.3 Configure SNMPv3CiscoCIS Cisco NX-OS L2 v1.1.0
1.5.4 Configure SNMP TrapsCiscoCIS Cisco NX-OS L2 v1.1.0
1.5.5 Configure SNMP Source Interface for TrapsCiscoCIS Cisco NX-OS L2 v1.1.0
1.5.6 Do not Configure a Read Write SNMP Community StringCiscoCIS Cisco NX-OS L2 v1.1.0
1.6 (L1) Host integrated hardware management controller must enable time synchronizationVMwareCIS VMware ESXi 8.0 v1.1.0 L1
1.6.1 Disable Telnet AccessCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.6.3 Ensure Exec Timeout for Console Sessions is setCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.6.4 Ensure 'SCP protocol' is set to Enable for files transfersCiscoCIS Cisco ASA 9.x Firewall L2 v1.1.0
1.6.5 Ensure 'Telnet' is disabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.7.1 Ensure 'HTTP source restriction' is set to an authorized IP addressCiscoCIS Cisco ASA 9.x Firewall L2 v1.1.0
1.7.3 Ensure 'SSL AES 256 encryption' is set for HTTPS accessCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.8.3 Set SSH Key Modulus LengthCiscoCIS Cisco NX-OS L2 v1.1.0
1.9 (L2) Host hardware must enable AMD SEV-ES, if availableVMwareCIS VMware ESXi 8.0 v1.1.0 L2
1.9 Use Dedicated 'mgmt' Interface and VRF for Administrative FunctionsCiscoCIS Cisco NX-OS L2 v1.1.0
1.10 (L2) Host hardware must enable Intel SGX, if availableVMwareCIS VMware ESXi 8.0 v1.1.0 L2
2.6.7 Audit Lockdown ModeUnixCIS Apple macOS 15.0 Sequoia v1.0.0 L2
2.6.7 Audit Lockdown ModeUnixCIS Apple macOS 13.0 Ventura v3.0.0 L2
2.6.7 Audit Lockdown ModeUnixCIS Apple macOS 14.0 Sonoma v2.0.0 L2
2.11 (L1) Host must use sufficient entropy for cryptographic operationsUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
2.12 (L2) Host must enable volatile key destructionVMwareCIS VMware ESXi 8.0 v1.1.0 L2
3.4 Ensure non-default application inspection is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
3.6.1.1 OpenSSH - InstallationUnixCIS IBM AIX 7.1 L1 v2.1.0
3.24 (L1) Host must display a login banner for the DCUI and Host ClientVMwareCIS VMware ESXi 8.0 v1.1.0 L1
3.25 (L1) Host must display a login banner for SSH connectionsVMwareCIS VMware ESXi 8.0 v1.1.0 L1
4.1.3.10 Ensure use of privileged commands is collectedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - creat EACCES 32 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.11 Ensure unsuccessful unauthorized file access attempts are collected - creat EACCES 64 bitUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
10.1 Ensure Web content directory is on a separate partition from the Tomcat system filesUnixCIS Apache Tomcat 10 L1 v1.1.0
10.1 Ensure Web content directory is on a separate partition from the Tomcat system filesUnixCIS Apache Tomcat 10 L1 v1.1.0 Middleware
10.1 Ensure Web content directory is on a separate partition from the Tomcat system filesUnixCIS Apache Tomcat 10.1 v1.0.0 L1
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directoryUnixCIS Apache Tomcat 9 L1 v1.2.0
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directoryUnixCIS Apache Tomcat 9 L1 v1.2.0 Middleware