800-53|SC-23

Title

SESSION AUTHENTICITY

Description

The information system protects the authenticity of communications sessions.

Supplemental

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

Reference Item Details

Related: SC-10,SC-11,SC-8

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabledOpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.3.5 Ensure that the --bind-address argument is set to 127.0.0.1OpenShiftCIS RedHat OpenShift Container Platform v1.6.0 L1
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.10.0 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.1 Set 'password' for 'enable secret'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.4.2 Enable 'service password-encryption'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1UnixCIS Kubernetes v1.10.0 L1 Master
1.4.3 Set 'username secret' for all local usersCiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.1 Set 'no snmp-server' to disable SNMP when unusedCiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.2 If SNMPv2 is in use, set Restrictions on AccessCiscoCIS Cisco NX-OS L1 v1.1.0
1.5.2 Unset 'private' for 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.3 Unset 'public' for 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.4 Do not set 'RW' for any 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.5 Set the ACL for each 'snmp-server community'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.7 Set 'snmp-server host' when using SNMPCiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.8 Set 'snmp-server enable traps snmp'CiscoCIS Cisco IOS 15 L1 v4.1.1
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3CiscoCIS Cisco IOS 15 L2 v4.1.1
1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3CiscoCIS Cisco IOS 15 L2 v4.1.1
1.7.1 Enabling Post-Quantum (PQ) on IKEv2 VPNsPalo_AltoCIS Palo Alto Firewall 11 v1.1.0 L2
1.7.1 Enabling Post-Quantum (PQ) on IKEv2 VPNsPalo_AltoCIS Palo Alto Firewall 10 v1.2.0 L2
1.9.1.1 Ensure 'NTP authentication' is enabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.9.1.2 Ensure 'NTP authentication key' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
2.0 Install & Config - 'Enable FilerView HTTPS'NetAppTNS NetApp Data ONTAP 7G
2.1.1 Turn off Bluetooth, if no paired devices existUnixCIS Apple macOS 10.14 v2.0.0 L1
2.1.1.1.1 Set the 'hostname'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.2 Set the 'ip domain-name'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.1.2 Set version 2 for 'ip ssh version'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.2 Ensure Show Wi-Fi status in Menu Bar Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.1.2 Ensure Show Wi-Fi status in Menu Bar Is EnabledUnixCIS Apple macOS 12.0 Monterey v3.1.0 L1
2.1.2 Set 'no cdp run'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.3 Set 'no ip bootp server'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.4 Set 'no service dhcp'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.4 Set 'no service dhcp' - dhcp poolCiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.5 Set 'no ip identd'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.6 Set 'service tcp-keepalives-in'CiscoCIS Cisco IOS 15 L1 v4.1.1
2.1.8 Set 'no service pad'CiscoCIS Cisco IOS 15 L1 v4.1.1
10.10 Configure maxHttpHeaderSizeUnixCIS Apache Tomcat 10 L2 v1.1.0
10.10 Configure maxHttpHeaderSizeUnixCIS Apache Tomcat 10 L2 v1.1.0 Middleware
10.10 Configure maxHttpHeaderSizeUnixCIS Apache Tomcat 9 L2 v1.2.0
10.10 Configure maxHttpHeaderSizeUnixCIS Apache Tomcat 9 L2 v1.2.0 Middleware