CCI-000186

OpenSSH Service Must Use Passcode for Their Private Keys

AAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication.

Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.

Only authenticated system administrators or the designated PKI Sponsor for the application server must have access to the web servers private key.

The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

The TSIG keys used with the BIND 9.x implementation must be owned by a privileged account.

The TSIG keys used with the BIND 9.x implementation must be group owned by a privileged account.

The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.

The BIND 9.x server private key corresponding to the ZSK pair must be the only DNSSEC key kept on a name server that supports dynamic updates.

The BIND 9.x server signature generation using the KSK must be done off-line, using the KSK-private key stored off-line.

The Central Log Server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

The certificate chain used by Universal Control Plane (UCP) client bundles must match what is defined in the System Security Plan (SSP) in Docker Enterprise.

Docker Enterprise Swarm manager must be run in auto-lock mode.

Docker Enterprise secret management commands must be used for managing secrets in a Swarm cluster.

The DNS server implementation, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

The key file must be owned by the account under which the name server software is run.

Read/Write access to the key file must be restricted to the account that runs the name server software only.

Only the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates.

Signature generation using the KSK must be done off-line, using the KSK-private stored off-line.

A unique TSIG key must be generated for each pair of communicating hosts.

Infoblox systems that communicate with non-Grid name servers must use a unique Transaction Signature (TSIG).

The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Key Signing Key (KSK) residing on it.

The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Zone Signing Key (ZSK) residing on it.

The WebSphere Application Server default keystore passwords must be changed.

The IBM z/VM TCP/IP Key database for LDAP or SSL server must be created with the proper permissions.

The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.

The Mainframe Product, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.

The Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.

The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.

The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.

Access to the SDN management and orchestration systems must be authenticated using a FIPS-approved message authentication code algorithm.

Southbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must be authenticated using a FIPS-approved message authentication code algorithm.

Southbound API management plane traffic for configuring SDN parameters on physical network elements must be authenticated using DOD PKI certificate-based authentication.

Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.

The Tanium Server certificate and private/public keys directory must be protected with appropriate permissions.

The UEM Agent must use managed endpoint device key storage for all persistent secret and private keys.

The UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key.

The Apache web server must be configured to use a specified IP address and port.

Default password for keystore must be changed.

Keystore file must be protected.

The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.

The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.

The macOS system must disable password authentication for SSH.

The macOS system must enforce smart card authentication.

PostgreSQL must enforce authorized access to all PKI private keys stored/utilized by PostgreSQL.

The EDB Postgres Advanced Server must enforce authorized access to all PKI private keys stored/used by the EDB Postgres Advanced Server.

The DBMS must enforce authorized access to all PKI private keys stored/utilized by the DBMS.

The operating system, for PKI-based authentication, must enforce authorized access to the corresponding private key.

SSMC web server application, libraries, and configuration files must only be accessible to privileged users.

AIX SSH private host key files must have mode 0600 or less permissive.

IBM z/OS for PKI-based authentication must use ICSF or the ESM to store keys.

IBM z/OS must use ICSF or SAF Key Rings for key management.

MarkLogic Server must enforce authorized access to all PKI private keys stored/utilized by the DBMS.

MariaDB must enforce authorized access to all PKI private keys stored/used by the DBMS.

MongoDB must enforce authorized access to all PKI private keys stored/utilized by MongoDB.

Encryption keys used for the .NET Strong Name Membership Condition must be protected.

SQL Server must enforce authorized access to all PKI private keys stored/utilized by SQL Server.

Users must be required to enter a password to access private keys stored on the computer.

Windows Server 2019 users must be required to enter a password to access private keys stored on the computer.

Windows Server 2022 users must be required to enter a password to access private keys stored on the computer.

The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.

OL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.

The MySQL Database Server 8.0 must enforce authorized access to all PKI private keys stored/utilized by the MySQL Database Server 8.0.

Redis Enterprise DBMS must enforce authorized access to all PKI private keys stored/used by Redis Enterprise DBMS.

RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.

Only authenticated system administrators or the designated PKI Sponsor for an Automation Controller NGINX web server must have access to any Automation Controller NGINX web server's private key.

RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.

The VMM, for PKI-based authentication, must enforce authorized access to the corresponding private key.

VAMI must protect the keystore from unauthorized access.

VMware Postgres must enforce authorized access to all public key infrastructure (PKI) private keys.

The Envoy private key file must be protected from unauthorized access.

The vCenter Envoy service private key file must be protected from unauthorized access.

The vCenter PostgreSQL service must enforce authorized access to all PKI private keys stored/utilized by PostgreSQL.

The vCenter VAMI service must restrict access to the web server's private key.

Only authenticated system administrators or the designated PKI Sponsor for the web server must have access to the web servers private key.

The EDB Postgres Advanced Server must enforce authorized access to all PKI private keys stored/utilized by the EDB Postgres Advanced Server.

The Windows DNS Server must be configured to enforce authorized access to the corresponding private key.

The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.

The Windows DNS Server permissions must be set so the key file can only be read or modified by the account that runs the name server software.

The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.

A unique Transaction Signature (TSIG) key must be generated for each pair of communicating hosts.

PostgreSQL must enforce authorized access to all PKI private keys stored/used by PostgreSQL.

Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.

MongoDB must enforce authorized access to all PKI private keys stored/used by MongoDB.

SLEM 5, for PKI-based authentication, must enforce authorized access to the corresponding private key.

TOSS, for PKI-based authentication, must enforce authorized access to the corresponding private key.