Detections
Analytics

CSCv7|4.2

Title

Change Default Passwords

Description

Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.

Reference Item Details

Category: Controlled Use of Administrative Privileges

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1 Ensure 'Logon Password' is setCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.1.1 Ensure 'Logon Password' is setCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.1.1 Ensure 'Logon Password' is setCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.1.1 Ensure default password of root is not allowedF5CIS F5 Networks v1.0.0 L1
1.1.2 Ensure default password of admin is not usedF5CIS F5 Networks v1.0.0 L1
1.1.3 Configure Secure Password PolicyF5CIS F5 Networks v1.0.0 L1
1.3.1 Ensure 'Minimum Password Complexity' is enabledPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.3.2 Ensure 'Minimum Length' is greater than or equal to 12Palo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.3.2 Ensure 'Minimum Length' is greater than or equal to 12Palo_AltoCIS Palo Alto Firewall 10 v1.2.0 L1
1.3.2 Ensure 'Minimum Length' is greater than or equal to 12Palo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.3.2 Ensure 'Minimum Length' is greater than or equal to 12Palo_AltoCIS Palo Alto Firewall 11 v1.1.0 L1
1.3.3 Ensure 'Minimum Uppercase Letters' is greater than or equal to 1Palo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.3.4 Ensure 'Minimum Lowercase Letters' is greater than or equal to 1Palo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.3.5 Ensure 'Minimum Numeric Letters' is greater than or equal to 1Palo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.3.7 Ensure 'Required Password Change Period' is less than or equal to 90 daysPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3Palo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.3.8 Ensure 'New Password Differs By Characters' is greater than or equal to 3Palo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
1.3.9 Ensure 'Prevent Password Reuse Limit' is set to 24 or more passwordsPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.3.10 Ensure 'Password Profiles' do not existPalo_AltoCIS Palo Alto Firewall 9 v1.1.0 L1
1.4.1.3 Ensure known default accounts do not existCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.1.3 Ensure known default accounts do not existCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.1.3 Ensure known default accounts do not existCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
2.4 (L2) Ensure default self-signed certificate for ESXi communication is not usedUnixCIS VMware ESXi 7.0 v1.5.0 L2 Bare Metal
2.4 Ensure default self-signed certificate for ESXi communication is not usedUnixCIS VMware ESXi 6.7 v1.3.0 Level 2 Bare Metal
2.4.1 Ensure default 'admin' password is changedFortiGateCIS Fortigate 7.0.x v1.3.0 L1
2.4.2 Ensure Require Password After Screen Saver Begins or Display Is Turned Off Is Enabled for 5 Seconds or ImmediatelyUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.1.0 L1
2.4.2 Ensure Require Password After Screen Saver Begins or Display Is Turned Off Is Enabled for 5 Seconds or ImmediatelyUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
2.4.2 Ensure Require Password After Screen Saver Begins or Display Is Turned Off Is Enabled for 5 Seconds or ImmediatelyUnixCIS Apple macOS 15.0 Sequoia Cloud-tailored v1.0.0 L1
2.4.6 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is EnabledUnixCIS Apple macOS 12.0 Monterey Cloud-tailored v1.1.0 L1
2.5.10 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is EnabledUnixCIS Apple macOS 12.0 Monterey v4.0.0 L1
2.5.10 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is EnabledUnixCIS Apple macOS 11.0 Big Sur v4.0.0 L1
2.5.10 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled - askForPasswordUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
2.5.10 Ensure a Password is Required to Wake the Computer From Sleep or Screen Saver Is Enabled - askForPasswordDelayUnixCIS Apple macOS 10.15 Catalina v3.0.0 L1
2.6.3 Ensure Automatic Login Is DisabledUnixCIS Apple macOS 15.0 Sequoia Cloud-tailored v1.0.0 L1
2.6.3 Ensure Automatic Login Is DisabledUnixCIS Apple macOS 13.0 Ventura Cloud-tailored v1.1.0 L1
2.6.3 Ensure Automatic Login Is DisabledUnixCIS Apple macOS 14.0 Sonoma Cloud-tailored v1.1.0 L1
2.10.2 Ensure Require Password After Screen Saver Begins or Display Is Turned Off Is Enabled for 5 Seconds or ImmediatelyUnixCIS Apple macOS 14.0 Sonoma v2.1.0 L1
2.10.2 Ensure Require Password After Screen Saver Begins or Display Is Turned Off Is Enabled for 5 Seconds or ImmediatelyUnixCIS Apple macOS 13.0 Ventura v3.1.0 L1
2.11.2 Ensure Require Password After Screen Saver Begins or Display Is Turned Off Is Enabled for 5 Seconds or ImmediatelyUnixCIS Apple macOS 15.0 Sequoia v1.1.0 L1
2.12.3 Ensure Automatic Login Is DisabledUnixCIS Apple macOS 13.0 Ventura v3.1.0 L1
2.12.3 Ensure Automatic Login Is DisabledUnixCIS Apple macOS 14.0 Sonoma v2.1.0 L1
2.13.3 Ensure Automatic Login Is DisabledUnixCIS Apple macOS 15.0 Sequoia v1.1.0 L1
3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllowUnixCIS Google Kubernetes Engine (GKE) v1.7.0 L1
3.9 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120'OracleDBCIS Oracle Server 18c DB Traditional Auditing v1.1.0
3.9 Ensure 'INACTIVE_ACCOUNT_TIME' Is Less than or Equal to '120'OracleDBCIS Oracle Server 18c DB Unified Auditing v1.1.0
4.1 Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated LoginsMS_SQLDBCIS SQL Server 2008 R2 DB Engine L1 v1.7.0
4.1 Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated LoginsMS_SQLDBCIS SQL Server 2016 Database L1 DB v1.4.0
4.1 Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated LoginsMS_SQLDBCIS SQL Server 2017 Database L1 DB v1.3.0
4.1 Ensure 'MUST_CHANGE' Option is set to 'ON' for All SQL Authenticated LoginsMS_SQLDBCIS Microsoft SQL Server 2019 v1.5.0 L1 Database Engine
10.4 Ensure 'keysPassword' is set to a custom password for ltpa keysUnixCIS IBM WebSphere Liberty v1.0.0 L1