STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-11 — Trusted Path

CCI-004895

Definition

Permit users to invoke the trusted communications path for communications between the user and the organization-defined security functions, including at a minimum, authentication and re-authentication.

Parent Control

SC-11Trusted PathSystem and Communications Protection

Linked STIG Checks (60)

V-222979CAT IIIdle timeout for the management application must be set to 10 minutes.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-259555CAT IIThe macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-259559CAT IIThe macOS system must configure sudoers timestamp type.Apple macOS 14 (Sonoma) Security Technical Implementation Guide V-274880CAT IIThe macOS system must configure sudoers timestamp type.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-274881CAT IIThe macOS system must require users to reauthenticate for privilege escalation when using the "sudo" command.Apple macOS 15 (Sequoia) Security Technical Implementation Guide V-222520CAT IIThe application must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.Application Security and Development Security Technical Implementation Guide V-238208CAT IIThe Ubuntu operating system must require users to reauthenticate for privilege escalation or when changing roles.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274858CAT IIUbuntu 20.04 LTS must restrict privilege elevation to authorized personnel.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-274859CAT IIUbuntu 20.04 LTS must require users to provide a password for privilege escalation.Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide V-260558CAT IIUbuntu 22.04 LTS must require users to reauthenticate for privilege escalation or when changing roles.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274860CAT IIUbuntu 22.04 LTS must require users to provide a password for privilege escalation.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274861CAT IIThe operating system must restrict privilege elevation to authorized personnel.Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide V-274869CAT IIUbuntu 24.04 LTS must restrict privilege elevation to authorized personnel.Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide V-239963CAT IIThe Cisco ASA VPN gateway must be configured to renegotiate the IPsec Security Association after eight hours or less.Cisco ASA VPN Security Technical Implementation Guide V-239964CAT IIThe Cisco ASA VPN gateway must be configured to renegotiate the IKE security association after 24 hours or less.Cisco ASA VPN Security Technical Implementation Guide V-233601CAT IIPostgreSQL must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.Crunchy Data PostgreSQL Security Technical Implementation Guide V-259287CAT IIThe EDB Postgres Advanced Server must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-255248CAT IISSMC must prevent nonprivileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.HPE 3PAR SSMC Operating System Security Technical Implementation Guide V-215260CAT IAIX must remove NOPASSWD tag from sudo config files.IBM AIX 7.x Security Technical Implementation Guide V-215261CAT IIAIX must remove !authenticate option from sudo config files.IBM AIX 7.x Security Technical Implementation Guide V-215292CAT IIIf GSSAPI authentication is not required on AIX, the SSH daemon must disable GSSAPI authentication.IBM AIX 7.x Security Technical Implementation Guide V-250340CAT IIHTTP session timeout must be configured.IBM WebSphere Liberty Server Security Technical Implementation Guide V-253735CAT IIMariaDB must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.MariaDB Enterprise 10.x Security Technical Implementation Guide V-278112CAT IIWindows Server 2025 must not save passwords in the Remote Desktop Client.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278114CAT IIWindows Server 2025 Remote Desktop Services must always prompt a client for passwords upon connection.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278130CAT IIWindows Server 2025 Windows Remote Management (WinRM) service must not store RunAs credentials.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278232CAT IIWindows Server 2025 User Account Control (UAC) approval mode for the built-in Administrator must be enabled.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278235CAT IIWindows Server 2025 User Account Control (UAC) must automatically deny standard user requests for elevation.Microsoft Windows Server 2025 Security Technical Implementation Guide V-278238CAT IIWindows Server 2025 User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC.Microsoft Windows Server 2025 Security Technical Implementation Guide V-260903CAT IIThe Lifetime Minutes and Renewal Threshold Minutes Login Session Controls on MKE must be set.Mirantis Kubernetes Engine Security Technical Implementation Guide V-221692CAT IIThe Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.Oracle Linux 7 Security Technical Implementation Guide V-228569CAT IIThe Oracle Linux operating system must be configured so users must re-authenticate for privilege escalation.Oracle Linux 7 Security Technical Implementation Guide V-237629CAT IIThe Oracle Linux operating system must require re-authentication when using the "sudo" command.Oracle Linux 7 Security Technical Implementation Guide V-251700CAT IIThe Oracle Linux operating system must not be configured to bypass password requirements for privilege escalation.Oracle Linux 7 Security Technical Implementation Guide V-248581CAT IIOL 8 must require users to provide a password for privilege escalation.Oracle Linux 8 Security Technical Implementation Guide V-248582CAT IIOL 8 must require users to reauthenticate for privilege escalation and changing roles.Oracle Linux 8 Security Technical Implementation Guide V-248585CAT IIOL 8 must require reauthentication when using the "sudo" command.Oracle Linux 8 Security Technical Implementation Guide V-252656CAT IIThe OL 8 operating system must not be configured to bypass password requirements for privilege escalation.Oracle Linux 8 Security Technical Implementation Guide V-235178CAT IIThe MySQL Database Server 8.0 must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.Oracle MySQL 8.0 Security Technical Implementation Guide V-230271CAT IIRHEL 8 must require users to provide a password for privilege escalation.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-230272CAT IIRHEL 8 must require users to reauthenticate for privilege escalation.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-237643CAT IIRHEL 8 must require re-authentication when using the "sudo" command.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-251712CAT IIThe RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation.Red Hat Enterprise Linux 8 Security Technical Implementation Guide V-258084CAT IIRHEL 9 must require reauthentication when using the "sudo" command.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258086CAT IIRHEL 9 must require users to reauthenticate for privilege escalation.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258088CAT IIRHEL 9 must restrict the use of the "su" command.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258106CAT IIRHEL 9 must require users to provide a password for privilege escalation.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-258118CAT IIRHEL 9 must not be configured to bypass password requirements for privilege escalation.Red Hat Enterprise Linux 9 Security Technical Implementation Guide V-257544CAT IIOpenShift must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity.Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide V-251221CAT IIRedis Enterprise DBMS must require users to reauthenticate when organization-defined circumstances or situations require reauthentication.Redis Enterprise 6.x Security Technical Implementation Guide V-217112CAT IThe SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-237605CAT IIThe SUSE operating system must require re-authentication when using the "sudo" command.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-251720CAT IIThe SUSE operating system must not be configured to bypass password requirements for privilege escalation.SUSE Linux Enterprise Server 12 Security Technical Implementation Guide V-221937CAT IIISplunk Enterprise idle session timeout must be set to not exceed 15 minutes.Splunk Enterprise 7.x for Windows Security Technical Implementation Guide V-251657CAT IISplunk Enterprise idle session timeout must be set to not exceed 15 minutes.Splunk Enterprise 8.x for Linux Security Technical Implementation Guide V-252931CAT IITOSS must require reauthentication when using the "sudo" command.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-252958CAT IITOSS must require users to reauthenticate for privilege escalation.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-252959CAT IITOSS must require users to provide a password for privilege escalation.Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide V-259015CAT IIThe vCenter ESX Agent Manager service must set an inactive timeout for sessions.VMware vSphere 8.0 vCenter Appliance ESX Agent Manager (EAM) Security Technical Implementation Guide V-258920CAT IIThe vCenter Server must terminate vSphere Client sessions after 15 minutes of inactivity.VMware vSphere 8.0 vCenter Security Technical Implementation Guide