Detections
Analytics

800-53|SC-11

Title

TRUSTED PATH

Description

The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication].

Supplemental

Trusted paths are mechanisms by which users (through input devices) can communicate directly with security functions of information systems with the requisite assurance to support information security policies. The mechanisms can be activated only by users or the security functions of organizational information systems. User responses via trusted paths are protected from modifications by or disclosure to untrusted applications. Organizations employ trusted paths for high-assurance connections between security functions of information systems and users (e.g., during system logons). Enforcement of trusted communications paths is typically provided via an implementation that meets the reference monitor concept.

Reference Item Details

Related: AC-16,AC-25

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P0

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.4 Set 'External send connector authentication: DNS Routing' to 'True'WindowsCIS Microsoft Exchange Server 2016 Edge v1.0.0
1.4 Set 'External send connector authentication: DNS Routing' to 'True'WindowsCIS Microsoft Exchange Server 2013 Edge v1.1.0
2.2.8 Ensure 'External send connector authentication: DNS routing' is set to 'True'WindowsCIS Microsoft Exchange Server 2019 L1 Mailbox v1.0.0
APPL-14-004022 - The macOS system must require users to reauthenticate for privilege escalation when using the 'sudo' command.UnixDISA Apple macOS 14 (Sonoma) STIG v2r1
APPL-14-004060 - The macOS system must configure sudoers timestamp type.UnixDISA Apple macOS 14 (Sonoma) STIG v2r1
CASA-VN-000350 - The Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less.CiscoDISA STIG Cisco ASA VPN v2r1
CASA-VN-000360 - The Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.CiscoDISA STIG Cisco ASA VPN v2r1
CD12-00-010100 - PostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.PostgreSQLDBDISA STIG Crunchy Data PostgreSQL DB v3r1
EPAS-00-008800 - The EDB Postgres Advanced Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.PostgreSQLDBEnterpriseDB PostgreSQL Advanced Server DB v2r1
MADB-10-008200 - MariaDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.MySQLDBDISA MariaDB Enterprise 10.x v2r1 DB
MYS8-00-010400 - The MySQL Database Server 8.0 must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.MySQLDBDISA Oracle MySQL 8.0 v2r1 DB
OL08-00-010380 - OL 8 must require users to provide a password for privilege escalation.UnixDISA Oracle Linux 8 STIG v2r1
OL08-00-010381 - OL 8 must require users to reauthenticate for privilege escalation and changing roles.UnixDISA Oracle Linux 8 STIG v2r1
OL08-00-010384 - OL 8 must require reauthentication when using the 'sudo' command.UnixDISA Oracle Linux 8 STIG v2r1
OL08-00-010385 - The OL 8 operating system must not be configured to bypass password requirements for privilege escalation.UnixDISA Oracle Linux 8 STIG v2r1
PHTN-40-000133 The Photon operating system must require users to reauthenticate for privilege escalation.UnixDISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1
SLES-15-010450 - The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.UnixDISA SLES 15 STIG v2r1
SLES-15-020102 - The SUSE operating system must require reauthentication when using the 'sudo' command - sudo command.UnixDISA SLES 15 STIG v2r1
SLES-15-020104 - The SUSE operating system must not be configured to bypass password requirements for privilege escalation.UnixDISA SLES 15 STIG v2r1
SPLK-CL-000180 - Splunk Enterprise idle session timeout must be set to not exceed 15 minutes.SplunkDISA STIG Splunk Enterprise 7.x for Windows v3r1 REST API
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - Listen PortUnixOracle WebLogic Server 12c Linux v2r1 Middleware
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - Listen PortUnixOracle WebLogic Server 12c Linux v2r1
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - Listen PortWindowsOracle WebLogic Server 12c Windows v2r1
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - SSL Listen PortUnixOracle WebLogic Server 12c Linux v2r1 Middleware
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - SSL Listen PortUnixOracle WebLogic Server 12c Linux v2r1
WBLC-08-000211 - Oracle WebLogic must establish a trusted communications path between the user and organization-defined security functions within the information system - SSL Listen PortWindowsOracle WebLogic Server 12c Windows v2r1
WN10-CC-000145 - Users must be prompted for a password on resume from sleep (on battery).WindowsDISA Windows 10 STIG v3r2
WN10-CC-000150 - The user must be prompted for a password on resume from sleep (plugged in).WindowsDISA Windows 10 STIG v3r2
WN10-CC-000355 - The Windows Remote Management (WinRM) service must not store RunAs credentials.WindowsDISA Windows 10 STIG v3r2
WPAW-00-001700 - The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW.WindowsDISA MS Windows Privileged Access Workstation v3r1