STIGQter STIGQter: STIG Summary: Authentication, Authorization, and Accounting Services (AAA) Security Requirements Guide

Version: 1

Release: 2 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-95525r1_ruleAAA Services must be configured to use secure protocols when connecting to directory services.
SV-95527r1_ruleAAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments.
SV-95529r1_ruleAAA Services must be configured to provide automated account management functions.
SV-95531r1_ruleAAA Services must be configured to automatically remove authorizations for temporary user accounts after 72 hours.
SV-95533r1_ruleAAA Services must be configured to prevent automatically removing emergency accounts.
SV-95535r1_ruleAAA Services must be configured to prevent automatically disabling emergency accounts.
SV-95537r1_ruleAAA Services must be configured to automatically disable accounts after a 35-day period of account inactivity.
SV-95539r1_ruleAAA Services must be configured to automatically audit account creation.
SV-95541r1_ruleAAA Services must be configured to automatically audit account modification.
SV-95543r1_ruleAAA Services must be configured to automatically audit account disabling actions.
SV-95545r1_ruleAAA Services must be configured to automatically audit account removal actions.
SV-95547r1_ruleAAA Services must be configured to notify the system administrators and ISSO when accounts are created.
SV-95549r1_ruleAAA Services must be configured to notify the system administrators and ISSO when accounts are modified.
SV-95551r1_ruleAAA Services must be configured to notify the system administrators and ISSO for account disabling actions.
SV-95553r1_ruleAAA Services must be configured to notify the system administrators and ISSO for account removal actions.
SV-95555r1_ruleAAA Services must be configured to automatically audit account enabling actions.
SV-95557r1_ruleAAA Services must be configured to notify system administrators and ISSO of account enabling actions.
SV-95559r1_ruleAAA Services must be configured to use Role-Based Access Control (RBAC) policy for levels of access authorization.
SV-95561r1_ruleAAA Services must be configured to automatically lock user accounts after three consecutive invalid logon attempts within a 15-minute time period.
SV-95565r1_ruleAAA Services must be configured to maintain locks on user accounts until released by an administrator.
SV-95567r1_ruleAAA Services configuration audit records must identify what type of events occurred.
SV-95569r1_ruleAAA Services configuration audit records must identify when (date and time) the events occurred.
SV-95571r1_ruleAAA Services configuration audit records must identify where the events occurred.
SV-95573r1_ruleAAA Services configuration audit records must identify the source of the events.
SV-95575r1_ruleAAA Services configuration audit records must identify the outcome of the events.
SV-95577r1_ruleAAA Services configuration audit records must identify any individual user or process associated with the event.
SV-95579r1_ruleAAA Services must be configured to send audit records to a centralized audit server.
SV-95581r2_ruleAAA Services must be configured to alert the SA and ISSO when any audit processing failure occurs.
SV-95583r1_ruleAAA Services must be configured to generate audit records overwriting the oldest audit records in a first-in-first-out manner.
SV-95585r1_ruleAAA Services must be configured to queue audit records locally until communication is restored when any audit processing failure occurs.
SV-95587r1_ruleAAA Services must be configured to use internal system clocks to generate time stamps for audit records.
SV-95589r1_ruleAAA Services must be configured with a minimum granularity of one second to record time stamps for audit records.
SV-95591r1_ruleAAA Services must be configured to use or map to Coordinated Universal Time (UTC) to record time stamps for audit records.
SV-95593r1_ruleAAA Services must be configured to use at least two NTP servers to synchronize time.
SV-95595r1_ruleAAA Services must be configured to authenticate all NTP messages received from NTP servers and peers.
SV-95597r1_ruleAAA Services must be configured to use their loopback or OOB management interface address as the source address when originating NTP traffic.
SV-95599r1_ruleAAA Services must be configured to audit each authentication and authorization transaction.
SV-95601r1_ruleAAA Services must be configured to uniquely identify and authenticate organizational users.
SV-95603r1_ruleAAA Services must be configured to require multifactor authentication using Personal Identity Verification (PIV) credentials for authenticating privileged user accounts.
SV-95605r1_ruleAAA Services must be configured to require multifactor authentication using Common Access Card (CAC) Personal Identity Verification (PIV) credentials for authenticating non-privileged user accounts.
SV-95607r1_ruleAAA Services used for 802.1x must be configured to uniquely identify network endpoints (supplicants) before the authenticator establishes any connection.
SV-95609r1_ruleAAA Services used for 802.1x must be configured to authenticate network endpoint devices (supplicants) before the authenticator establishes any connection.
SV-95611r1_ruleAAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.
SV-95613r1_ruleAAA Services must be configured to enforce a minimum 15-character password length.
SV-95615r1_ruleAAA Services must be configured to enforce password complexity by requiring that at least one upper-case character be used.
SV-95617r1_ruleAAA Services must be configured to enforce password complexity by requiring that at least one lower-case character be used.
SV-95619r1_ruleAAA Services must be configured to enforce password complexity by requiring that at least one numeric character be used.
SV-95621r1_ruleAAA Services must be configured to enforce password complexity by requiring that at least one special character be used.
SV-95623r1_ruleAAA Services must be configured to require the change of at least eight of the total number of characters when passwords are changed.
SV-95625r1_ruleAAA Services must be configured to encrypt transmitted credentials using a FIPS-validated cryptographic module.
SV-95627r1_ruleAAA Services must be configured to enforce 24 hours as the minimum password lifetime.
SV-95629r1_ruleAAA Services must be configured to enforce a 60-day maximum password lifetime restriction.
SV-95631r1_ruleAAA Services must be configured to prohibit password reuse for a minimum of five generations.
SV-95633r1_ruleAAA Services must be configured to allow the use of a temporary password at initial logon with an immediate change to a permanent password.
SV-95635r1_ruleAAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication.
SV-95637r1_ruleAAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication.
SV-95639r1_ruleAAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication.
SV-95641r1_ruleAAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication.
SV-95643r1_ruleAAA Services must be configured to protect the confidentiality and integrity of all information at rest.
SV-95645r1_ruleAAA Services must not be configured with shared accounts.
SV-95647r1_ruleAAA Services used to authenticate privileged users for device management must be configured to connect to the management network.
SV-95649r1_ruleAAA Services must be configured to use a unique shared secret for communication (i.e. RADIUS, TACACS+) with clients requesting authentication services.
SV-95651r1_ruleAAA Services must be configured to use IP segments separate from production VLAN IP segments.
SV-95653r1_ruleAAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access.
SV-95655r1_ruleAAA Services must be configured to disable non-essential modules.
SV-95657r1_ruleAAA Services must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
SV-95659r1_ruleAAA Services must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
SV-95661r1_ruleAAA Services must be configured to automatically remove temporary user accounts after 72 hours.
SV-95663r1_ruleAAA Services must be configured to encrypt locally stored credentials using a FIPS-validated cryptographic module.