CCI-000186
For public key-based authentication, enforce authorized access to the corresponding private key.
The certificate chain used by Universal Control Plane (UCP) client bundles must match what is defined in the System Security Plan (SSP) in Docker Enterprise.
1 rule found Severity: Medium
1 rule found Severity: Medium
Infoblox systems that communicate with non-Grid name servers must use a unique Transaction Signature (TSIG).
1 rule found Severity: Medium
The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Key Signing Key (KSK) residing on it.
1 rule found Severity: High
The Infoblox Grid Master must be configured as a stealth (hidden) domain name server in order to protect the Zone Signing Key (ZSK) residing on it.
1 rule found Severity: High
1 rule found Severity: High
The IBM z/VM TCP/IP Key database for LDAP or SSL server must be created with the proper permissions.
1 rule found Severity: Medium
Only the private key corresponding to the ZSK alone must be kept on the name server that does support dynamic updates.
2 rules found Severity: Medium
2 rules found Severity: Medium
The Windows 2012 DNS Server must be configured to enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
The Windows 2012 DNS Server key file must be owned by the account under which the Windows 2012 DNS Server service is run.
1 rule found Severity: Medium
The Windows 2012 DNS Server permissions must be set so that the key file can only be read or modified by the account that runs the name server software.
1 rule found Severity: Medium
The private key corresponding to the ZSK must only be stored on the name server that does support dynamic updates.
1 rule found Severity: Medium
Access to the SDN management and orchestration systems must be authenticated using a FIPS-approved message authentication code algorithm.
1 rule found Severity: Medium
Southbound API management plane traffic for provisioning and configuring virtual network elements within the SDN infrastructure must be authenticated using a FIPS-approved message authentication code algorithm.
1 rule found Severity: Medium
Southbound API management plane traffic for configuring SDN parameters on physical network elements must be authenticated using DOD PKI certificate-based authentication.
1 rule found Severity: Medium
Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.
1 rule found Severity: High
The Tanium Server certificate and private/public keys directory must be protected with appropriate permissions.
2 rules found Severity: High
The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
2 rules found Severity: High
The DBMS, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
2 rules found Severity: High
2 rules found Severity: High
The EDB Postgres Advanced Server must enforce authorized access to all PKI private keys stored/utilized by the EDB Postgres Advanced Server.
1 rule found Severity: High
The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.
1 rule found Severity: Medium
1 rule found Severity: Medium
1 rule found Severity: Medium
The read and write access to a TSIG key file used by a BIND 9.x server must be restricted to only the account that runs the name server software.
1 rule found Severity: Medium
The BIND 9.x server private key corresponding to the ZSK pair must be the only DNSSEC key kept on a name server that supports dynamic updates.
1 rule found Severity: High
The BIND 9.x server signature generation using the KSK must be done off-line, using the KSK-private key stored off-line.
1 rule found Severity: High
1 rule found Severity: High
The DNS server implementation, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
1 rule found Severity: Medium
Read/Write access to the key file must be restricted to the account that runs the name server software only.
1 rule found Severity: Medium
The EDB Postgres Advanced Server must enforce authorized access to all PKI private keys stored/used by the EDB Postgres Advanced Server.
1 rule found Severity: High
1 rule found Severity: Medium
SSMC web server application, libraries, and configuration files must only be accessible to privileged users.
1 rule found Severity: Medium
1 rule found Severity: Medium
The JBoss server must be configured to restrict access to the web servers private key to authenticated system administrators.
1 rule found Severity: Medium
MarkLogic Server must enforce authorized access to all PKI private keys stored/utilized by the DBMS.
1 rule found Severity: High
1 rule found Severity: High
1 rule found Severity: Medium
The Windows DNS Server must be configured to enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
The Windows DNS Server key file must be owned by the account under which the Windows DNS Server service is run.
1 rule found Severity: Medium
The Windows DNS Server permissions must be set so the key file can only be read or modified by the account that runs the name server software.
1 rule found Severity: Medium
The private key corresponding to the zone signing key (ZSK) must only be stored on the name server that does support dynamic updates.
1 rule found Severity: Medium
1 rule found Severity: Medium
The MySQL Database Server 8.0 must enforce authorized access to all PKI private keys stored/utilized by the MySQL Database Server 8.0.
1 rule found Severity: High
Redis Enterprise DBMS must enforce authorized access to all PKI private keys stored/used by Redis Enterprise DBMS.
1 rule found Severity: High
Only authenticated system administrators or the designated PKI Sponsor for an Automation Controller NGINX web server must have access to any Automation Controller NGINX web server's private key.
1 rule found Severity: Medium
SLEM 5, for PKI-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
TOSS, for PKI-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
Only authenticated system administrators or the designated PKI Sponsor for the web server must have access to the web servers private key.
1 rule found Severity: Medium
1 rule found Severity: Medium
AAA Services must be configured to enforce authorized access to the corresponding private key for PKI-based authentication.
1 rule found Severity: Medium
1 rule found Severity: Medium
Only authenticated system administrators or the designated PKI Sponsor for the Apache web server must have access to the Apache web servers private key.
2 rules found Severity: Medium
Only authenticated system administrators or the designated PKI Sponsor for the application server must have access to the web servers private key.
1 rule found Severity: Medium
The application, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: High
The Central Log Server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: High
For PKI-based authentication, AlmaLinux OS 9 must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
1 rule found Severity: High
Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.
1 rule found Severity: Medium
The operating system, for PKI-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
1 rule found Severity: Medium
The Mainframe Product, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
1 rule found Severity: High
Windows Server 2019 users must be required to enter a password to access private keys stored on the computer.
1 rule found Severity: Medium
Windows Server 2022 users must be required to enter a password to access private keys stored on the computer.
1 rule found Severity: Medium
OL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
RHEL 9, for PKI-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
The UEM Agent must use managed endpoint device key storage for all persistent secret and private keys.
1 rule found Severity: Medium
The VMM, for PKI-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
The UEM server, when using PKI-based authentication, must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
1 rule found Severity: High
1 rule found Severity: Medium
2 rules found Severity: Medium
The site-to-site VPN, when using PKI-based authentication for devices, must enforce authorized access to the corresponding private key.
1 rule found Severity: Medium
The vCenter PostgreSQL service must enforce authorized access to all PKI private keys stored/utilized by PostgreSQL.
1 rule found Severity: High