STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← IA-2 (5) — Identification and Authentication (Organizational Users)

CCI-004045

Definition

Require users to be individually authenticated before granting access to the shared accounts or resources.

Parent Control

IA-2 (5)Identification and Authentication (Organizational Users)Identification and Authentication

Linked STIG Checks (79)

V-263531CAT IIAAA Services must be configured to require users to be individually authenticated before granting access to the shared accounts or resources.AAA Services Security Requirements Guide V-274049CAT IIAmazon Linux 2023 must not permit direct logons to the root account using remote access via SSH.Amazon Linux 2023 Security Technical Implementation Guide V-268137CAT IINixOS must not allow direct login to the root account via SSH.Anduril NixOS Security Technical Implementation Guide V-268138CAT IINixOS must not allow direct login to the root account.Anduril NixOS Security Technical Implementation Guide V-222964CAT ITLS must be enabled on JMX.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-259472CAT IIThe macOS system must disable root logon for SSH.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-268442CAT IIThe macOS system must disable login to other users' active and locked sessions.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268443CAT IIThe macOS system must disable root login.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-268472CAT IIThe macOS system must disable root login for SSH.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-277050CAT IIThe macOS system must disable login to other users' active and locked sessions.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277051CAT IIThe macOS system must disable root login.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-277079CAT IIThe macOS system must disable root login for SSH.Apple macOS 26 (Tahoe) Security Technical Implementation Guide V-222408CAT IIShared/group account credentials must be terminated when members leave the group.Application Security and Development Security Technical Implementation Guide V-222529CAT IIThe application must ensure users are authenticated with an individual authenticator prior to using a group authenticator.Application Security and Development Security Technical Implementation Guide V-204748CAT IIThe application server must authenticate users individually prior to using a group authenticator.Application Server Security Requirements Guide V-272627CAT IIICylanceON-PREM must be configured to use a third-party identity provider.Arctic Wolf CylanceON-PREM Security Technical Implementation Guide V-276012CAT IAx-OS must have no local accounts for the user interface.Axonius Federal Systems Ax-OS Security Technical Implementation Guide V-238329CAT IIThe Ubuntu operating system must prevent direct login into the root account.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260542CAT IIUbuntu 22.04 LTS must prevent direct login into the root account.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-270724CAT IIUbuntu 24.04 LTS must prevent direct login to the root account.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-263572CAT IIThe Central Log Server must require users to be individually authenticated before granting access to the shared accounts or resources.Central Log Server Security Requirements Guide V-242608CAT IIThe Cisco ISE must change the password for the local CLI and web-based account when members who have access to the password leave the role and are no longer authorized access.Cisco ISE NDM Security Technical Implementation Guide V-269363CAT IIAlmaLinux OS 9 must restrict the use of the "su" command.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-269376CAT IIAlmaLinux OS 9 must not permit direct logons to the root account using remote access via SSH.Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide V-233083CAT IIThe container platform must ensure users are authenticated with an individual authenticator prior to using a group authenticator.Container Platform Security Requirements Guide V-233155CAT IIThe container platform must terminate shared/group account credentials when members leave the group.Container Platform Security Requirements Guide V-263607CAT IIThe DBMS must require users to be individually authenticated before granting access to the shared accounts or resources.Database Security Requirements Guide V-263629CAT IIThe DNS server implementation must require users to be individually authenticated before granting access to the shared accounts or resources.Domain Name System (DNS) Security Requirements Guide V-230931CAT IIForescout must terminate the account of last resort password when members with access to the password leave the group.Forescout Network Device Management Security Technical Implementation Guide V-203644CAT IIThe operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.General Purpose Operating System Security Requirements Guide V-215178CAT IIDirect logins to the AIX system must not be permitted to shared accounts, default accounts, application accounts, and utility accounts.IBM AIX 7.x Security Technical Implementation Guide V-223722CAT IIIBM RACF user accounts must uniquely identify system users.IBM z/OS RACF Security Technical Implementation Guide V-223952CAT IICA-TSS user accounts must uniquely identify system users.IBM z/OS TSS Security Technical Implementation Guide V-258600CAT IThe ICS must be configured to prevent nonprivileged users from executing privileged functions.Ivanti Connect Secure NDM Security Technical Implementation Guide V-253946CAT IIThe Juniper EX switch must change credentials for account of last resort when administrators who know the credential leave the organization.Juniper EX Series Switches Network Device Management Security Technical Implementation Guide V-205493CAT IIThe Mainframe Product must verify users are authenticated with an individual authenticator prior to using a group authenticator.Mainframe Product Security Requirements Guide V-205540CAT IIThe Mainframe Product must terminate shared/group account credentials when members leave the group.Mainframe Product Security Requirements Guide V-276240CAT IIAzure SQL Managed Instance must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database.Microsoft Azure SQL Managed Instance Security Technical Implementation Guide V-271269CAT IISQL Server must protect against a user falsely repudiating by ensuring all accounts are individual, unique, and not shared.Microsoft SQL Server 2022 Instance Security Technical Implementation Guide V-260909CAT IIMKE must be configured to integrate with an Enterprise Identity Provider.Mirantis Kubernetes Engine Security Technical Implementation Guide V-279399CAT IIMongoDB must require users to be individually authenticated before granting access to the shared accounts or resources.MongoDB Enterprise Advanced 8.x Security Technical Implementation Guide V-246947CAT IIONTAP must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.NetApp ONTAP DSC 9.x Security Technical Implementation Guide V-202054CAT IIThe network device must be configured to authenticate each administrator prior to authorizing privileges based on assignment of group or role.Network Device Management Security Requirements Guide V-202087CAT IIThe network device must terminate shared/group account credentials when members leave the group.Network Device Management Security Requirements Guide V-279438CAT IINutanix AOS must authenticate users individually prior to using a group authenticator.Nutanix Acropolis Application Server Security Technical Implementation Guide V-270501CAT IIIOracle Database must protect against an individual who uses a shared account falsely denying having performed a particular action.Oracle Database 19c Security Technical Implementation Guide V-221703CAT IIThe Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.Oracle Linux 7 Security Technical Implementation Guide V-248613CAT IIOL 8 must not permit direct logons to the root account using remote access via SSH.Oracle Linux 8 Security Technical Implementation Guide V-271610CAT IIOL 9 must use the CAC smart card driver.Oracle Linux 9 Security Technical Implementation Guide V-271708CAT IIOL 9 must not permit direct logons to the root account using remote access via SSH.Oracle Linux 9 Security Technical Implementation Guide V-253523CAT IIAccess to Prisma Cloud Compute must be managed based on user need and least privileged using external identity providers for authentication and grouping to role-based assignments when possible.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-253537CAT IIPrisma Cloud Compute must be configured with unique user accounts.Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide V-252843CAT IRancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.Rancher Government Solutions Multi-Cluster Manager Security Technical Implementation Guide V-280976CAT IIRHEL 10 must use the common access card (CAC) smart card driver.Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-281265CAT IIRHEL 10 must not permit direct logins to the root account using remote access via Secure Shell (SSH).Red Hat Enterprise Linux 10 Security Technical Implementation Guide V-230296CAT IIRHEL 8 must not permit direct logons to the root account using remote access via SSH.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-257985CAT IIRHEL 9 must not permit direct logons to the root account using remote access via SSH.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258121CAT IIRHEL 9 must use the common access card (CAC) smart card driver.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257513CAT IOpenShift role-based access controls (RBAC) must be enforced.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-257543CAT IOpenShift must use FIPS validated LDAP or OpenIDConnect.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-275633CAT IIUbuntu OS must prevent direct login into the root account.Riverbed NetIM OS Security Technical Implementation Guide V-256079CAT IThe Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.Riverbed NetProfiler Security Technical Implementation Guide V-256097CAT IIThe network device must terminate shared/group account credentials when members leave the group.Riverbed NetProfiler Security Technical Implementation Guide V-217267CAT IIThe SUSE operating system must deny direct logons to the root account using remote access via SSH.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-216340CAT IIThe operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.Solaris 11 SPARC Security Technical Implementation Guide V-216105CAT IIThe operating system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.Solaris 11 X86 Security Technical Implementation Guide V-254904CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-254928CAT IIThe Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.Tanium 7.x Application on TanOS Security Technical Implementation Guide V-253815CAT IIThe Tanium Application Server must be configured with a connector to sync to Microsoft Active Directory for account management functions.Tanium 7.x Security Technical Implementation Guide V-253845CAT IIThe Tanium cryptographic signing capabilities must be enabled on the Tanium Server.Tanium 7.x Security Technical Implementation Guide V-242254CAT IThe TippingPoint SMS must be configured to use an authentication server for the purpose of authenticating users prior to granting administrative access and to enforce access restrictions.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-242260CAT IIThe password for the local account of last resort and the device password (if configured) must be changed when members who had access to the password leave the role and are no longer authorized access.Trend Micro TippingPoint NDM Security Technical Implementation Guide V-252915CAT IITOSS must not permit direct logons to the root account using remote access from outside of the system via SSH.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-282494CAT IITOSS 5 must not permit direct logins to the root account using remote access via SSH.Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide V-234360CAT IIThe UEM server must ensure users are authenticated with an individual authenticator prior to using a group authenticator.Unified Endpoint Management Server Security Requirements Guide V-258909CAT IIThe vCenter Server must uniquely identify and authenticate users or processes acting on behalf of users.VMware vSphere 8.0 vCenter Security Technical Implementation Guide V-207391CAT IIThe VMM must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.Virtual Machine Manager Security Requirements Guide V-264342CAT IIThe web server must require users to be individually authenticated before granting access to the shared accounts or resources.Web Server Security Requirements Guide V-269574CAT IXylok Security Suite must use a centralized user management solution.Xylok Security Suite 20.x Security Technical Implementation Guide