CCI|CCI-001948

Title

The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.

Reference Item Details

Reference: CCI - DISA Control Correlation Identifier

Category: 2024

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.8.8 Ensure users must authenticate users using MFA via a graphical user logon	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installed	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.9 Ensure multifactor authentication for access to privileged accounts - PAM.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.10 Ensure certificate status checking for PKI authentication	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
AIX7-00-003200 - The AIX operating system must use Multi Factor Authentication.	Unix	DISA STIG AIX 7.x v2r9
AOSX-14-003025 - The macOS system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-003020 - The macOS system must use multifactor authentication for local and network access to privileged and non-privileged accounts, the establishment of nonlocal maintenance and diagnostic sessions, and authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access - ChallengeResponseAuthentication	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
AOSX-15-003020 - The macOS system must use multifactor authentication for local and network access to privileged and non-privileged accounts, the establishment of nonlocal maintenance and diagnostic sessions, and authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access - enforceSmartCard	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
AOSX-15-003020 - The macOS system must use multifactor authentication for local and network access to privileged and non-privileged accounts, the establishment of nonlocal maintenance and diagnostic sessions, and authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access - PasswordAuthentication	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Low
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-171
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enforce Smartcard Authentication	Unix	NIST macOS Catalina v1.5.0 - CNSSI 1253
F5BI-AP-000195 - The BIG-IP APM module must be configured to require multifactor authentication for remote access with privileged accounts to virtual servers in such a way that one of the factors is provided by a device separate from the system gaining access.	F5	DISA F5 BIG-IP Access Policy Manager STIG v2r3
F5BI-LT-000195 - The BIG-IP Core implementation providing user authentication intermediary services must be configured to require multifactor authentication for remote access with privileged accounts to virtual servers in such a way that one of the factors is provided by a device separate from the system gaining access.	F5	DISA F5 BIG-IP Local Traffic Manager STIG v2r3
OL07-00-010061 - The Oracle Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.	Unix	DISA Oracle Linux 7 STIG v2r14
OL07-00-041001 - The Oracle Linux operating system must have the required packages for multifactor authentication installed.	Unix	DISA Oracle Linux 7 STIG v2r14
OL07-00-041002 - The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM) - PAM.	Unix	DISA Oracle Linux 7 STIG v2r14
OL07-00-041003 - The Oracle Linux operating system must implement certificate status checking for PKI authentication.	Unix	DISA Oracle Linux 7 STIG v2r14
RHEL-07-010061 - The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.	Unix	DISA Red Hat Enterprise Linux 7 STIG v3r15
RHEL-07-041001 - The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.	Unix	DISA Red Hat Enterprise Linux 7 STIG v3r15
RHEL-07-041002 - The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).	Unix	DISA Red Hat Enterprise Linux 7 STIG v3r15
RHEL-07-041003 - The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.	Unix	DISA Red Hat Enterprise Linux 7 STIG v3r15
RHEL-08-010390 - RHEL 8 must have the packages required for multifactor authentication installed.	Unix	DISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-08-010400 - RHEL 8 must implement certificate status checking for multifactor authentication.	Unix	DISA Red Hat Enterprise Linux 8 STIG v2r1
RHEL-09-215075 - RHEL 9 must have the openssl-pkcs11 package installed.	Unix	DISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611165 - RHEL 9 must enable certificate based smart card authentication.	Unix	DISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611170 - RHEL 9 must implement certificate status checking for multifactor authentication.	Unix	DISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611175 - RHEL 9 must have the pcsc-lite package installed.	Unix	DISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611180 - The pcscd service on RHEL 9 must be active.	Unix	DISA Red Hat Enterprise Linux 9 STIG v2r2
RHEL-09-611185 - RHEL 9 must have the opensc package installed.	Unix	DISA Red Hat Enterprise Linux 9 STIG v2r2
SLES-12-030500 - The SUSE operating system must have the packages required for multifactor authentication to be installed.	Unix	DISA SLES 12 STIG v2r13
SLES-12-030510 - The SUSE operating system must implement certificate status checking for multifactor authentication.	Unix	DISA SLES 12 STIG v2r13
SLES-12-030520 - The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).	Unix	DISA SLES 12 STIG v2r13
SYMP-AG-000360 - Symantec ProxySG providing user authentication intermediary services must implement multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.	BlueCoat	DISA Symantec ProxySG Benchmark ALG v1r3
UBTU-16-030800 - The Ubuntu operating system must have the packages required for multifactor authentication to be installed.	Unix	DISA STIG Ubuntu 16.04 LTS v2r3
UBTU-16-030820 - The Ubuntu operating system must implement certificate status checking for multifactor authentication.	Unix	DISA STIG Ubuntu 16.04 LTS v2r3
UBTU-16-030840 - The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.	Unix	DISA STIG Ubuntu 16.04 LTS v2r3
UBTU-18-010431 - The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.	Unix	DISA STIG Ubuntu 18.04 LTS v2r15
UBTU-20-010063 - The Ubuntu operating system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.	Unix	DISA STIG Ubuntu 20.04 LTS v2r1
UBTU-22-612010 - Ubuntu 22.04 LTS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.	Unix	DISA STIG Canonical Ubuntu 22.04 LTS v2r2
WN12-PK-000008-DC - Active directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), PIV-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.	Windows	DISA Windows Server 2012 and 2012 R2 DC STIG v3r7
WN16-DC-000310 - Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.	Windows	DISA Windows Server 2016 STIG v2r9
WN19-DC-000310 - Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.	Windows	DISA Windows Server 2019 STIG v3r2
WN22-DC-000310 - Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication.	Windows	DISA Windows Server 2022 STIG v2r2

Detections

Analytics

CCI|CCI-001948

Title

Reference Item Details

Audit Items