Red Hat Virtualization Host - Identification and Authentication

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
IA-1 Identification And Authentication Policy And Procedures

not applicable

IA-2 Identification And Authentication (Organizational Users)

complete

IA-2 (1) Network Access To Privileged Accounts

complete

IA-2 (2) Network Access To Non-Privileged Accounts
IA-2 (3) Local Access To Privileged Accounts
IA-2 (4) Local Access To Non-Privileged Accounts
IA-2 (5) Group Authentication
IA-2 (6) Network Access To Privileged Accounts - Separate Device
IA-2 (7) Network Access To Non-Privileged Accounts - Separate Device
IA-2 (8) Network Access To Privileged Accounts - Replay Resistant
IA-2 (9) Network Access To Non-Privileged Accounts - Replay Resistant
IA-2 (10) Single Sign-On
IA-2 (11) Remote Access - Separate Device
IA-2 (12) Acceptance Of Piv Credentials

complete

IA-2 (13) Out-Of-Band Authentication
IA-3 Device Identification And Authentication
IA-3 (1) Cryptographic Bidirectional Authentication
IA-3 (2) Cryptographic Bidirectional Network Authentication
IA-3 (3) Dynamic Address Allocation
IA-3 (4) Device Attestation
IA-4 Identifier Management

partial

IA-4 (1) Prohibit Account Identifiers As Public Identifiers
IA-4 (2) Supervisor Authorization
IA-4 (3) Multiple Forms Of Certification
IA-4 (4) Identify User Status
IA-4 (5) Dynamic Management
IA-4 (6) Cross-Organization Management
IA-4 (7) In-Person Registration
IA-5 Authenticator Management

not applicable

IA-5 (1) Password-Based Authentication

complete

IA-5 (2) Pki-Based Authentication
IA-5 (3) In-Person Or Trusted Third-Party Registration
IA-5 (4) Automated Support For Password Strength Determination
IA-5 (5) Change Authenticators Prior To Delivery
IA-5 (6) Protection Of Authenticators
IA-5 (7) No Embedded Unencrypted Static Authenticators
IA-5 (8) Multiple Information System Accounts
IA-5 (9) Cross-Organization Credential Management
IA-5 (10) Dynamic Credential Association
IA-5 (11) Hardware Token-Based Authentication

not applicable

IA-5 (12) Biometric-Based Authentication
IA-5 (13) Expiration Of Cached Authenticators
IA-5 (14) Managing Content Of Pki Trust Stores
IA-5 (15) Ficam-Approved Products And Services
IA-6 Authenticator Feedback

complete

IA-7 Cryptographic Module Authentication

complete

IA-8 Identification And Authentication (Non-Organizational Users)

complete

IA-8 (1) Acceptance Of Piv Credentials From Other Agencies

not applicable

IA-8 (2) Acceptance Of Third-Party Credentials

not applicable

IA-8 (3) Use Of Ficam-Approved Products

not applicable

IA-8 (4) Use Of Ficam-Issued Profiles

not applicable

IA-8 (5) Acceptance Of Piv-I Credentials
IA-9 Service Identification And Authentication
IA-9 (1) Information Exchange
IA-9 (2) Transmission Of Decisions
IA-10 Adaptive Identification And Authentication
IA-11 Re-Authentication



IA-1: Identification And Authentication Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and b. Reviews and updates the current: 1. Identification and authentication policy [Assignment: organization-defined frequency]; and 2. Identification and authentication procedures [Assignment: organization-defined frequency].

IA-1 Control Response Information
Implementation Status:

not applicable

IA-1: What is the solution and how is it implemented?
IA-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

IA-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




IA-2: Identification And Authentication (Organizational Users)

“The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).”

IA-2 Control Response Information
Implementation Status:

complete

IA-2: What is the solution and how is it implemented?

The following configuration checks are required to ensure Red Hat Virtualization Host (RHVH) uniquely identifies organizational users:

  • CCE-27309-4: Set Boot Loader Password in grub2
  • CCE-80354-4: Set EUFI Boot Loader Password
  • CCE-27287-2: Require Authentication for Single User Mode
  • CCE-27175-9: Verify Only Root Has UID 0
  • CCE-27294-8: Direct root Logins Not Allowed
  • CCE-80650-5: Ensure that System Accounts are Locked
  • CCE-27268-2: Restrict Serial Port Root Logins
  • CCE-2731805: Restrict Virtual Console Root Logins
  • CCE-27445-6: Disable SSH Root Login



IA-2 (1): Network Access To Privileged Accounts

“The information system implements multifactor authentication for network access to privileged accounts.”

IA-2 (1) Control Response Information
Implementation Status:

complete

IA-2 (1): What is the solution and how is it implemented?

The following configuration checks are required to ensure Red Hat Virtualization Host (RHVH) implements multifactor authentication for network access to privileged accounts:

  • CCE-80207-4: Enable Smart Card Login



IA-2 (2): Network Access To Non-Privileged Accounts

“The information system implements multifactor authentication for network access to non-privileged accounts.”

IA-2 (2) Control Response Information
Implementation Status:
IA-2 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-2 (3): Local Access To Privileged Accounts

“The information system implements multifactor authentication for local access to privileged accounts.”

IA-2 (3) Control Response Information
Implementation Status:
IA-2 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-2 (4): Local Access To Non-Privileged Accounts

“The information system implements multifactor authentication for local access to non-privileged accounts.”

IA-2 (4) Control Response Information
Implementation Status:
IA-2 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-2 (5): Group Authentication

“The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.”

IA-2 (5) Control Response Information
Implementation Status:
IA-2 (5): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-2 (6): Network Access To Privileged Accounts - Separate Device

“The information system implements multifactor authentication for network access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].”

IA-2 (6) Control Response Information
Implementation Status:
IA-2 (6): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-2 (7): Network Access To Non-Privileged Accounts - Separate Device

“The information system implements multifactor authentication for network access to non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].”

IA-2 (7) Control Response Information
Implementation Status:
IA-2 (7): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-2 (8): Network Access To Privileged Accounts - Replay Resistant

“The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.”

IA-2 (8) Control Response Information
Implementation Status:
IA-2 (8): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-2 (9): Network Access To Non-Privileged Accounts - Replay Resistant

“The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.”

IA-2 (9) Control Response Information
Implementation Status:
IA-2 (9): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-2 (10): Single Sign-On

“The information system provides a single sign-on capability for [Assignment: organization-defined information system accounts and services].”

IA-2 (10) Control Response Information
Implementation Status:
IA-2 (10): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-2 (11): Remote Access - Separate Device

“The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].”

IA-2 (11) Control Response Information
Implementation Status:
IA-2 (11): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-2 (12): Acceptance Of Piv Credentials

“The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.”

IA-2 (12) Control Response Information
Implementation Status:

complete

IA-2 (12): What is the solution and how is it implemented?

The following configuration checks are required to ensure Red Hat Virtualization Host (RHVH) accepts Personal Identity Verification (PIV) credentials:

  • CCE-80207-4: Enable Smart Card Login



IA-2 (13): Out-Of-Band Authentication

“The information system implements [Assignment: organization-defined out-of-band authentication] under [Assignment: organization-defined conditions].”

IA-2 (13) Control Response Information
Implementation Status:
IA-2 (13): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-3: Device Identification And Authentication

“The information system uniquely identifies and authenticates [Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.”

IA-3 Control Response Information
Implementation Status:
IA-3: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-3 (1): Cryptographic Bidirectional Authentication

“The information system authenticates [Assignment: organization-defined specific devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based.”

IA-3 (1) Control Response Information
Implementation Status:
IA-3 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



IA-3 (2): Cryptographic Bidirectional Network Authentication

“[Withdrawn: Incorporated into IA-3 (1)].”

IA-3 (2) Control Response Information
Implementation Status:
IA-3 (2): What is the solution and how is it implemented?