STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← MA-4 — Nonlocal Maintenance

CCI-000877

Definition

Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions.

Parent Control

MA-4Nonlocal MaintenanceMaintenance

Linked STIG Checks (99)

V-274052CAT IAmazon Linux 2023 must enable the Pluggable Authentication Module (PAM) interface for SSHD.Amazon Linux 2023 Security Technical Implementation Guide V-274057CAT IAmazon Linux 2023 must enable FIPS mode.Amazon Linux 2023 Security Technical Implementation Guide V-268176CAT INixOS must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.Anduril NixOS Security Technical Implementation Guide V-257773CAT IThe macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257774CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257775CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.Apple macOS 12 (Monterey) Security Technical Implementation Guide V-257165CAT IThe macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257166CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257167CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257293CAT IThe macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257294CAT IThe macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-257295CAT IThe macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.Apple macOS 13 (Ventura) Security Technical Implementation Guide V-268477CAT IThe macOS system must disable password authentication for SSH.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277084CAT IThe macOS system must disable password authentication for SSH.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222565CAT IIThe application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.Application Security and Development Security Technical Implementation Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-219309CAT IIThe Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide V-238211CAT IIThe Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260534CAT IIUbuntu 22.04 LTS must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270741CAT IIUbuntu 24.04 LTS must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-269125CAT IAlmaLinux OS 9 must use the TuxCare ESU repository.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269126CAT IAlmaLinux OS 9 must use the TuxCare FIPS packages and not the default encryption packages.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269127CAT IAlmaLinux OS 9 must enable FIPS mode.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269420CAT IAlmaLinux OS 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233106CAT IIThe container platform must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.Container Platform Security Requirements Guide V-205175CAT IIThe DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.Domain Name System (DNS) Security Requirements Guide V-203653CAT IThe operating system must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.General Purpose Operating System Security Requirements Guide V-255239CAT IISSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.HPE 3PAR SSMC Operating System Security Technical Implementation Guide V-237826CAT IUser credentials which would allow remote access to the system by the Service Processor must be removed from the storage system.HPE 3PAR StoreServ 3.2.x Security Technical Implementation Guide V-215213CAT IAIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.IBM AIX 7.x Security Technical Implementation Guide V-223497CAT IICA-ACF2 defined user accounts must uniquely identify system users.IBM z/OS ACF2 Security Technical Implementation Guide V-223722CAT IIIBM RACF user accounts must uniquely identify system users.IBM z/OS RACF Security Technical Implementation Guide V-223952CAT IICA-TSS user accounts must uniquely identify system users.IBM z/OS TSS Security Technical Implementation Guide V-214167CAT IIThe Infoblox system must be configured to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.Infoblox 7.x DNS Security Technical Implementation Guide V-233905CAT IIThe Infoblox system must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.Infoblox 8.x DNS Security Technical Implementation Guide V-220862CAT IThe Windows Remote Management (WinRM) client must not use Basic authentication.Microsoft Windows 10 Security Technical Implementation Guide V-220865CAT IThe Windows Remote Management (WinRM) service must not use Basic authentication.Microsoft Windows 10 Security Technical Implementation Guide V-220868CAT IIThe Windows Remote Management (WinRM) client must not use Digest authentication.Microsoft Windows 10 Security Technical Implementation Guide V-253416CAT IThe Windows Remote Management (WinRM) client must not use Basic authentication.Microsoft Windows 11 Security Technical Implementation Guide V-253418CAT IThe Windows Remote Management (WinRM) service must not use Basic authentication.Microsoft Windows 11 Security Technical Implementation Guide V-253421CAT IIThe Windows Remote Management (WinRM) client must not use Digest authentication.Microsoft Windows 11 Security Technical Implementation Guide V-224958CAT IThe Windows Remote Management (WinRM) client must not use Basic authentication.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224960CAT IIThe Windows Remote Management (WinRM) client must not use Digest authentication.Microsoft Windows Server 2016 Security Technical Implementation Guide V-224961CAT IThe Windows Remote Management (WinRM) service must not use Basic authentication.Microsoft Windows Server 2016 Security Technical Implementation Guide V-205711CAT IWindows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205712CAT IIWindows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.Microsoft Windows Server 2019 Security Technical Implementation Guide V-205713CAT IWindows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.Microsoft Windows Server 2019 Security Technical Implementation Guide V-254378CAT IWindows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254380CAT IIWindows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication.Microsoft Windows Server 2022 Security Technical Implementation Guide V-254381CAT IWindows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication.Microsoft Windows Server 2022 Security Technical Implementation Guide V-278125CAT IWindows Server 2025 Windows Remote Management (WinRM) client must not use Basic authentication.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278127CAT IIWindows Server 2025 Windows Remote Management (WinRM) client must not use Digest authentication.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278128CAT IWindows Server 2025 Windows Remote Management (WinRM) service must not use Basic authentication.Microsoft Windows Server 2025 Security Technical Implementation Guide V-259411CAT IIThe DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.Microsoft Windows Server Domain Name System (DNS) Security Technical Implementation Guide V-254125CAT INutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.Nutanix AOS 5.20.x OS Security Technical Implementation Guide V-279534CAT INutanix OS must implement cryptography to protect the integrity of remote access sessions by using only HMACs employing FIPS 140-3-approved algorithms.Nutanix Acropolis GPOS Security Technical Implementation Guide V-279620CAT INutanix OS must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.Nutanix Acropolis GPOS Security Technical Implementation Guide V-221840CAT IIThe Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.Oracle Linux 7 Security Technical Implementation Guide V-248524CAT IOL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.Oracle Linux 8 Security Technical Implementation Guide V-283446CAT IOL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.Oracle Linux 8 Security Technical Implementation Guide V-283457CAT IThe OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Oracle Linux 8 Security Technical Implementation Guide V-283458CAT IThe OL 8 SSH server must be configured to use only DOD-approved encryption ciphers employing FIPS 140-3 validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Oracle Linux 8 Security Technical Implementation Guide V-271454CAT IOL 9 must enable FIPS mode.Oracle Linux 9 Security Technical Implementation Guide V-271707CAT IOL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.Oracle Linux 9 Security Technical Implementation Guide V-235978CAT IIOracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.Oracle WebLogic Server 12c Security Technical Implementation Guide V-253522CAT IPrisma Cloud Compute Console must use TLS 1.2 for user interface and API access. Communication TCP ports must adhere to the Ports, Protocols, and Services Management Category Assurance Levels (PSSM CAL).Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-281009CAT IRHEL 10 must enable FIPS mode.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281010CAT IRHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281011CAT IRHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved encryption ciphers employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281012CAT IRHEL 10 must be configured so that Secure Shell (SSH) clients use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH client connections.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281013CAT IRHEL 10 must be configured so that Secure Shell (SSH) servers use only DOD-approved Message Authentication Codes (MACs) employing FIPS 140-3-validated cryptographic hash algorithms to protect the confidentiality of SSH server connections.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281216CAT IRHEL 10 must enable the Pluggable Authentication Module (PAM) interface for SSHD.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-257986CAT IRHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258230CAT IRHEL 9 must enable FIPS mode.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257583CAT IRed Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275627CAT IUbuntu OS must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.Riverbed NetIM OS Security Technical Implementation Guide V-261334CAT ISLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-261335CAT ISLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms.SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide V-217271CAT IIThe SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216387CAT IIThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).Solaris 11 SPARC Security Technical Implementation Guide V-216150CAT IIThe boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).Solaris 11 X86 Security Technical Implementation Guide V-241005CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.0 Security Technical Implementation Guide V-234066CAT IICommon Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.Tanium 7.3 Security Technical Implementation Guide V-252919CAT IThe TOSS operating system must implement DOD-approved encryption in the OpenSSL package.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282504CAT ITOSS 5 must enable the Pluggable Authentication Module (PAM) interface for SSHD.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-240467CAT IIThe SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.VMware vRealize Automation 7.x SLES Security Technical Implementation Guide V-239560CAT IIThe SLES for vRealize must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide V-256503CAT IIThe Photon operating system must use an OpenSSH server version that does not support protocol 1.VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide V-207399CAT IIThe VMM must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.Virtual Machine Manager Security Requirements Guide V-73593CAT IThe Windows Remote Management (WinRM) client must not use Basic authentication.Windows Server 2016 Security Technical Implementation Guide V-73593CAT IThe Windows Remote Management (WinRM) client must not use Basic authentication.Windows Server 2016 Security Technical Implementation Guide V-73597CAT IIThe Windows Remote Management (WinRM) client must not use Digest authentication.Windows Server 2016 Security Technical Implementation Guide V-73597CAT IIThe Windows Remote Management (WinRM) client must not use Digest authentication.Windows Server 2016 Security Technical Implementation Guide V-73599CAT IThe Windows Remote Management (WinRM) service must not use Basic authentication.Windows Server 2016 Security Technical Implementation Guide V-73599CAT IThe Windows Remote Management (WinRM) service must not use Basic authentication.Windows Server 2016 Security Technical Implementation Guide V-93503CAT IWindows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.Windows Server 2019 Security Technical Implementation Guide V-93505CAT IIWindows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.Windows Server 2019 Security Technical Implementation Guide V-93507CAT IWindows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.Windows Server 2019 Security Technical Implementation Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide