UCF STIG Viewer Logo

AAA Services Security Requirements Guide


Overview

Date Finding Count (79)
2024-07-02 CAT I (High): 8 CAT II (Med): 68 CAT III (Low): 3
STIG Description
This Security Requirements Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-204676 High AAA Services must be configured to not accept certificates that have been revoked for PKI-based authentication.
V-204672 High AAA Services must be configured to encrypt transmitted credentials using a FIPS-validated cryptographic module.
V-204657 High AAA Services must be configured to use secure protocols when connecting to directory services.
V-204658 High AAA Services must be configured to use protocols that encrypt credentials when authenticating clients, as defined in the PPSM CAL and vulnerability assessments.
V-204671 High For password-based authentication, AAA Services must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash.
V-204660 High AAA Services must be configured to uniquely identify and authenticate organizational users.
V-204675 High AAA Services must be configured to only accept certificates issued by a DoD-approved Certificate Authority for PKI-based authentication.
V-204679 High AAA Services must be configured to protect the confidentiality and integrity of all information at rest.
V-204687 Medium AAA Services must be configured to notify system administrators (SAs) and information system security officer (ISSO) of account enabling actions.
V-204686 Medium AAA Services must be configured to automatically audit account enabling actions.
V-204685 Medium AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account removal actions.
V-204684 Medium AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) for account disabling actions.
V-204683 Medium AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are modified.
V-204682 Medium AAA Services must be configured to notify the system administrators (SAs) and information system security officer (ISSO) when accounts are created.
V-263528 Medium AAA Services must be configured to disable accounts when the accounts are no longer associated to a user.
V-204670 Medium AAA Services must be configured to require the change of at least eight of the total number of characters when passwords are changed.
V-204689 Medium AAA Services must be configured to maintain locks on user accounts until released by an administrator.
V-263536 Medium For password-based authentication, AAA Services must be configured to allow user selection of long passwords and passphrases, including spaces and all printable characters.
V-263537 Medium For password-based authentication, AAA Services must be configured to employ automated tools to assist the user in selecting strong password authenticators.
V-263534 Medium For password-based authentication, AAA Services must be configured to verify when users create or update passwords, and that the passwords are not on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
V-263535 Medium For password-based authentication, AAA Services must be configured to require immediate selection of a new password upon account recovery.
V-263532 Medium For password-based authentication, AAA Services must be configured to update the list of passwords on an organization-defined frequency.
V-263533 Medium For password-based authentication, AAA Services must be configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.
V-263530 Medium AAA Services must be configured to automatically generate audit records of the enforcement actions.
V-263531 Medium AAA Services must be configured to require users to be individually authenticated before granting access to the shared accounts or resources.
V-204645 Medium AAA Services must be configured to audit each authentication and authorization transaction.
V-263538 Medium For public key-based authentication, AAA Services must be configured to implement a local cache of revocation data to support path discovery and validation.
V-263539 Medium AAA Services must be configured to include only approved trust anchors in trust stores or certificate stores managed by the organization.
V-204650 Medium AAA Services configuration audit records must identify the outcome of the events.
V-204636 Medium AAA Services must be configured to provide automated account management functions.
V-204637 Medium AAA Services must be configured to automatically remove temporary user accounts after 72 hours.
V-204651 Medium AAA Services configuration audit records must identify any individual user or process associated with the event.
V-204638 Medium AAA Services must be configured to automatically remove authorizations for temporary user accounts after 72 hours.
V-204639 Medium AAA Services must be configured to automatically disable accounts after a 35-day period of account inactivity.
V-204652 Medium AAA Services must be configured to alert the SA and ISSO when any audit processing failure occurs.
V-204677 Medium AAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication.
V-204674 Medium AAA Services must be configured to enforce a 60-day maximum password lifetime restriction.
V-204653 Medium AAA Services must be configured to generate audit records overwriting the oldest audit records in a first-in-first-out manner.
V-204655 Medium AAA Services must be configured to use internal system clocks to generate time stamps for audit records.
V-204656 Medium AAA Services must be configured to disable non-essential modules.
V-204654 Medium AAA Services must be configured to queue audit records locally until communication is restored when any audit processing failure occurs.
V-204647 Medium AAA Services configuration audit records must identify when (date and time) the events occurred.
V-204678 Medium AAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication.
V-204673 Medium AAA Services must be configured to enforce 24 hours as the minimum password lifetime.
V-263529 Medium AAA Services must be configured to disable accounts when the accounts are in violation of organizational policy.
V-204696 Medium AAA Services must be configured to authenticate all NTP messages received from NTP servers and peers.
V-204690 Medium AAA Services must be configured to send audit records to a centralized audit server.
V-204691 Medium AAA Services must be configured to use or map to Coordinated Universal Time (UTC) to record time stamps for audit records.
V-204692 Medium AAA Services must be configured with a minimum granularity of one second to record time stamps for audit records.
V-204693 Medium AAA Services used for 802.1x must be configured to authenticate network endpoint devices (supplicants) before the authenticator establishes any connection.
V-204698 Medium AAA Services used for 802.1x must be configured to use secure Extensible Authentication Protocol (EAP), such as EAP-TLS, EAP-TTLS, and PEAP.
V-204699 Medium AAA Services must not be configured with shared accounts.
V-263527 Medium AAA Services must be configured to disable accounts when the accounts have expired.
V-204646 Medium AAA Services configuration audit records must identify what type of events occurred.
V-204659 Medium AAA Services must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-204641 Medium AAA Services must be configured to automatically audit account modification.
V-204669 Medium AAA Services must be configured to enforce password complexity by requiring that at least one special character be used.
V-204668 Medium AAA Services must be configured to enforce password complexity by requiring that at least one numeric character be used.
V-204648 Medium AAA Services configuration audit records must identify where the events occurred.
V-204680 Medium AAA Services must be configured to prevent automatically removing emergency accounts.
V-204661 Medium AAA Services must be configured to require multifactor authentication using Personal Identity Verification (PIV) credentials for authenticating privileged user accounts.
V-204663 Medium AAA Services used for 802.1x must be configured to uniquely identify network endpoints (supplicants) before the authenticator establishes any connection.
V-204662 Medium AAA Services must be configured to require multifactor authentication using Common Access Card (CAC) Personal Identity Verification (PIV) credentials for authenticating non-privileged user accounts.
V-204664 Medium AAA Services must be configured to enforce a minimum 15-character password length.
V-204667 Medium AAA Services must be configured to enforce password complexity by requiring that at least one lowercase character be used.
V-204666 Medium AAA Services must be configured to enforce password complexity by requiring that at least one uppercase character be used.
V-204643 Medium AAA Services must be configured to automatically audit account removal actions.
V-204642 Medium AAA Services must be configured to automatically audit account disabling actions.
V-204704 Medium AAA Services must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs.
V-204640 Medium AAA Services must be configured to automatically audit account creation.
V-204702 Medium AAA Services must be configured to use IP segments separate from production VLAN IP segments.
V-204703 Medium AAA Services must be configured to place non-authenticated network access requests in the Unauthorized VLAN or the Guest VLAN with limited access.
V-204700 Medium AAA Services used to authenticate privileged users for device management must be configured to connect to the management network.
V-204701 Medium AAA Services must be configured to use a unique shared secret for communication (i.e. RADIUS, TACACS+) with clients requesting authentication services.
V-204649 Medium AAA Services configuration audit records must identify the source of the events.
V-204644 Medium AAA Services must be configured to automatically lock user accounts after three consecutive invalid logon attempts within a 15-minute time period.
V-204681 Low AAA Services must be configured to prevent automatically disabling emergency accounts.
V-204695 Low AAA Services must be configured to use at least two NTP servers to synchronize time.
V-204697 Low AAA Services must be configured to use their loopback or OOB management interface address as the source address when originating NTP traffic.