800-53|SC-23

Title

SESSION AUTHENTICITY

Description

The information system protects the authenticity of communications sessions.

Supplemental

This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: SC-10,SC-11,SC-8

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.2.9 Ensure that the APIPriorityAndFairness feature gate is enabled	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.3.5 Ensure that the --bind-address argument is set to 127.0.0.1	OpenShift	CIS RedHat OpenShift Container Platform v1.6.0 L1
1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.10.0 L1 Master
1.4.1 Set 'password' for 'enable secret'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.4.2 Enable 'service password-encryption'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.24 Benchmark v1.0.0 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.23 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.20 Benchmark v1.0.1 L1 Master
1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1	Unix	CIS Kubernetes v1.10.0 L1 Master
1.4.3 Set 'username secret' for all local users	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.1 Set 'no snmp-server' to disable SNMP when unused	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.2 Unset 'private' for 'snmp-server community'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.3 Unset 'public' for 'snmp-server community'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.4 Do not set 'RW' for any 'snmp-server community'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.8 Set 'snmp-server enable traps snmp'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3	Cisco	CIS Cisco IOS 15 L2 v4.1.1
1.9.1.1 Ensure 'NTP authentication' is enabled	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
2.0 Install & Config - 'Enable FilerView HTTPS'	NetApp	TNS NetApp Data ONTAP 7G
2.1.1.1.1 Set the 'hostname'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.2 Set the 'ip domain-name'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.4 Set 'seconds' for 'ip ssh timeout'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.1.5 Set maximimum value for 'ip ssh authentication-retries'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.1.2 Set version 2 for 'ip ssh version'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.2 Set 'no cdp run'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.3 Set 'no ip bootp server'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.4 Set 'no service dhcp'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.4 Set 'no service dhcp' - dhcp pool	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.5 Set 'no ip identd'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.6 Set 'service tcp-keepalives-in'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.1.8 Set 'no service pad'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
2.4.4 Set 'ip tftp source-interface' to the Loopback Interface	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.1 Ensure DNS services are configured correctly	Cisco	CIS Cisco ASA 9.x Firewall L1 v1.1.0
3.1.1 Set 'no ip source-route'	Cisco	CIS Cisco IOS 15 L1 v4.1.1
3.1.2 Set 'no ip proxy-arp'	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.1.3 Set 'no interface tunnel'	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.1.4 Set 'ip verify unicast source reachable-via'	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.2 Ensure that MongoDB only listens for network connections on authorized interfaces	Windows	CIS MongoDB 3.6 L1 Windows Audit v1.1.0
3.2 Ensure that MongoDB only listens for network connections on authorized interfaces	Unix	CIS MongoDB 3.6 L1 Unix Audit v1.1.0
3.2.2 Set inbound 'ip access-group' on the External Interface	Cisco	CIS Cisco IOS 15 L2 v4.1.1
3.16 (L1) Host must configure a session timeout for the API	VMware	CIS VMware ESXi 8.0 v1.1.0 L1
3.17 (L1) Host must automatically terminate idle host client sessions	VMware	CIS VMware ESXi 8.0 v1.1.0 L1
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 10 L2 v1.1.0
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 10 L2 v1.1.0 Middleware
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 9 L2 v1.2.0
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 9 L2 v1.2.0 Middleware
10.10 Configure maxHttpHeaderSize	Unix	CIS Apache Tomcat 10.1 v1.0.0 L2
20.53 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)	Windows	CIS Microsoft Windows Server 2022 STIG v1.0.0 STIG DC
20.54 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)	Windows	CIS Microsoft Windows Server 2019 STIG v2.0.0 STIG DC
20.54 Ensure 'PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)' (STIG DC only)	Windows	CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC

Detections

Analytics