Detections
Analytics

800-53|MA-4

Title

NONLOCAL MAINTENANCE

Description

The organization:

Supplemental

Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network. Local maintenance and diagnostic activities are those activities carried out by individuals physically present at the information system or information system component and not communicating across a network connection. Authentication techniques used in the establishment of nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2. Typically, strong authentication requires authenticators that are resistant to replay attacks and employ multifactor authentication. Strong authenticators include, for example, PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished in part by other controls.

Reference Item Details

Related: AC-17,AC-2,AC-3,AC-6,AU-2,AU-3,IA-2,IA-4,IA-5,IA-8,MA-2,MA-5,MP-6,PL-2,SC-10,SC-17,SC-7

Category: MAINTENANCE

Family: MAINTENANCE

Priority: P2

Baseline Impact: LOW,MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.2 Ensure that the --basic-auth-file argument is not setOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.3 Ensure that the --token-auth-file parameter is not setOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.2.3 Limit SSH Login AttemptsCiscoCIS Cisco NX-OS L1 v1.1.0
1.2.4 Ensure Exec Timeout for Console Sessions is setCiscoCIS Cisco NX-OS L1 v1.1.0
1.2.5 Ensure Exec Timeout for Remote Administrative Sessions (VTY) is setCiscoCIS Cisco NX-OS L1 v1.1.0
1.2.6 Set the Maximum Number of VTY SessionsCiscoCIS Cisco NX-OS L1 v1.1.0
1.2.7 Disable the Telnet FeatureCiscoCIS Cisco NX-OS L1 v1.1.0
1.4 (L1) Host hardware must enable and configure a TPM 2.0VMwareCIS VMware ESXi 8.0 v1.1.0 L1
1.6 (L1) Host integrated hardware management controller must enable time synchronizationVMwareCIS VMware ESXi 8.0 v1.1.0 L1
1.6.3 Ensure Exec Timeout for Console Sessions is setCiscoCIS Cisco IOS XR 7.x v1.0.0 L1
1.6.4 Ensure 'SCP protocol' is set to Enable for files transfersCiscoCIS Cisco ASA 9.x Firewall L2 v1.1.0
1.6.5 Ensure 'Telnet' is disabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.7.1 Ensure 'HTTP source restriction' is set to an authorized IP addressCiscoCIS Cisco ASA 9.x Firewall L2 v1.1.0
1.7.3 Ensure 'SSL AES 256 encryption' is set for HTTPS accessCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.8.3 Set SSH Key Modulus LengthCiscoCIS Cisco NX-OS L2 v1.1.0
1.9 (L2) Host hardware must enable AMD SEV-ES, if availableVMwareCIS VMware ESXi 8.0 v1.1.0 L2
1.10 (L2) Host hardware must enable Intel SGX, if availableVMwareCIS VMware ESXi 8.0 v1.1.0 L2
2.11 (L1) Host must use sufficient entropy for cryptographic operationsUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
3.6.1.1 OpenSSH - InstallationUnixCIS IBM AIX 7.1 L1 v2.1.0
3.24 (L1) Host must display a login banner for the DCUI and Host ClientVMwareCIS VMware ESXi 8.0 v1.1.0 L1
4.1.3.8 Ensure changes to system administration scope (sudoers) is collected - sudoersUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.8 Ensure changes to system administration scope (sudoers) is collected - sudoers.dUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.13 Ensure login and logout events are collected - faillockUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.3.13 Ensure login and logout events are collected - lastlogUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.3.3 daemonUnixCIS IBM AIX 7.1 L1 v2.1.0
4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controllerGCPCIS Google Kubernetes Engine (GKE) v1.6.1 L2
4.7.3.12 Ensure sshd MaxAuthTries is configuredUnixCIS IBM AIX 7 v1.0.0 L1
4.7.3.17 Ensure sshd ReKeyLimit is configuredUnixCIS IBM AIX 7 v1.0.0 L1
5.1.4 Ensure SSH Protocol is set to 2UnixCIS Google Container-Optimized OS v1.2.0 L1 Server
5.5 Ensure root login is restricted to system consoleUnixCIS SUSE Linux Enterprise 15 Server L1 v1.1.1
5.5 Ensure root login is restricted to system consoleUnixCIS SUSE Linux Enterprise 12 v3.2.0 L1 Server
5.5 Ensure root login is restricted to system consoleUnixCIS SUSE Linux Enterprise 15 Workstation L1 v1.1.1
5.5 Ensure root login is restricted to system consoleUnixCIS SUSE Linux Enterprise 12 v3.2.0 L1 Workstation
5.6 Ensure root login is restricted to system consoleUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Server
5.6 Ensure root login is restricted to system consoleUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 L1 Workstation
5.043 - Terminal Services is not configured with the client connection encryption set to the required level.WindowsDISA Windows Vista STIG v6r41
6.5.4 (L1) Host SSH daemon, if enabled, must not allow host-based authenticationUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
6.5.5 (L1) Host SSH daemon, if enabled, must set a timeout count on idle sessionsUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
6.5.6 (L1) Host SSH daemon, if enabled, must set a timeout interval on idle sessionsUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
6.5.7 (L1) Host SSH daemon, if enabled, must display the system login banner before granting accessUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
6.5.8 (L1) Host SSH daemon, if enabled, must ignore .rhosts filesUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
6.5.9 (L1) Host SSH daemon, if enabled, must disable stream local forwardingUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
6.5.10 (L1) Host SSH daemon, if enabled, must disable TCP forwardingUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
6.5.11 (L1) Host SSH daemon, if enabled, must not permit tunnelsUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
6.5.12 (L1) Host SSH daemon, if enabled, must not permit user environment settingsUnixCIS VMware ESXi 8.0 v1.1.0 L1 Bare Metal
10.1 Ensure Web content directory is on a separate partition from the Tomcat system filesUnixCIS Apache Tomcat 10 L1 v1.1.0
10.1 Ensure Web content directory is on a separate partition from the Tomcat system filesUnixCIS Apache Tomcat 10 L1 v1.1.0 Middleware
10.1 Ensure Web content directory is on a separate partition from the Tomcat system filesUnixCIS Apache Tomcat 10.1 v1.0.0 L1
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directoryUnixCIS Apache Tomcat 9 L1 v1.2.0
10.1 Ensure Web content directory is on a separate partition from the Tomcat system files - verify Web content directoryUnixCIS Apache Tomcat 9 L1 v1.2.0 Middleware