Skip to content
Log In

CCI-000187

For public key-based authentication, map the authenticated identity to the account of the individual or group.

Enable Certificate Verification

1 rule found Severity: Medium

Logo

Enable Certmap in SSSD

9 rules found Severity: Medium

Logo

Enable Smart Card Logins in PAM

5 rules found Severity: Medium

Logo

Verify that 'use_mappers' is set to 'pwent' in PAM

2 rules found Severity: Low

Logo

Compliance Guardian must use multifactor authentication for network access to privileged accounts.

1 rule found Severity: High

Logo

The CA API Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.

1 rule found Severity: Medium

Logo

The HP FlexFabric Switch must map the authenticated identity to the user account for PKI-based authentication.

1 rule found Severity: Medium

Logo

The DataPower Gateway must map the authenticated identity to the user account for PKI-based authentication.

1 rule found Severity: Medium

Logo

The DataPower Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account.

1 rule found Severity: Medium

Logo

The MQ Appliance messaging server must map the authenticated identity to the individual messaging user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

WebGUI access to the MQ Appliance network device must map the authenticated identity to the user account for PKI-based authentication.

1 rule found Severity: Medium

Logo

The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.

1 rule found Severity: Medium

Logo

The WebSphere Application Server must authenticate all network-connected endpoint devices before establishing any connection.

1 rule found Severity: Medium

Logo

The WebSphere Application Server must use signer for DoD-issued certificates.

1 rule found Severity: Medium

Logo

MobileIron Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

1 rule found Severity: High

Logo

The Sentry providing PKI-based mobile device authentication intermediary services must map authenticated identities to the mobile device account.

2 rules found Severity: Medium

Logo

Firefox must be configured to ask which certificate to present to a website when a certificate is required.

1 rule found Severity: Medium

Logo

Nutanix AOS must accept Personal Identity Verification (PIV) credentials to access the management interface.

1 rule found Severity: Medium

Logo

Oracle WebLogic must map the PKI-based authentication identity to the user account.

1 rule found Severity: Medium

Logo

Innoslate must map the authenticated identity to the individual user or group account for PKI-based authentication.

1 rule found Severity: High

Logo

Symantec ProxySG, when configured for reverse proxy/WAF services and providing PKI-based user authentication intermediary services, must map the client certificate to the authentication server store.

1 rule found Severity: Medium

Logo

Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

2 rules found Severity: Medium

Logo

The Tanium application must be configured for LDAP user/group synchronization to map the authenticated identity to the individual user or group account for PKI-based authentication.

3 rules found Severity: Medium

Logo

The NSX-T Manager must integrate with either VMware Identity Manager (vIDM) or VMware Workspace ONE Access.

1 rule found Severity: High

Logo

The macOS system must use multifactor authentication for local access to privileged and non-privileged accounts.

1 rule found Severity: High

Logo

The Ubuntu operating system must map the authenticated identity to the user or group account for PKI-based authentication.

2 rules found Severity: High

Logo

MongoDB must map the PKI-authenticated identity to an associated user account.

3 rules found Severity: Medium

Logo

The DBMS must ensure that PKI-based authentication maps the authenticated identity to the user account.

1 rule found Severity: Medium

Logo

Processes (services, applications, etc.) that connect to the DBMS independently of individual users, must use valid, current DoD-issued PKI certificates for authentication to the DBMS.

1 rule found Severity: Medium

Logo

PostgreSQL must map the PKI-authenticated identity to an associated user account.

3 rules found Severity: Medium

Logo

The BIG-IP APM module must map the authenticated identity to the user account for PKI-based authentication to virtual servers.

1 rule found Severity: Medium

Logo

The BIG-IP Core implementation providing PKI-based, user authentication intermediary services must be configured to map the authenticated identity to the user account for PKI-based authentication to virtual servers.

1 rule found Severity: Medium

Logo

The macOS system must use multifactor authentication for local access to privileged and nonprivileged accounts.

1 rule found Severity: High

Logo

The Cisco ASA remote access VPN server must be configured to use a separate authentication server than that used for administrative access.

1 rule found Severity: Medium

Logo

The Cisco ASA remote access VPN server must be configured to map the distinguished name (DN) from the client’s certificate to entries in the authentication server to determine authorization to access the network.

1 rule found Severity: Medium

Logo

The DBMS must map the PKI-authenticated identity to an associated user account.

2 rules found Severity: Medium

Logo

The F5 BIG-IP appliance providing user authentication intermediary services must uniquely identify and authenticate users using redundant authentication servers and multifactor authentication (MFA).

1 rule found Severity: High

Logo

The F5 BIG-IP appliance must be configured to use multifactor authentication (MFA) for interactive logins.

1 rule found Severity: High

Logo

The HPE 3PAR OS must map the authenticated identity to the user account for PKI-based authentication.

1 rule found Severity: High

Logo

Multifactor authentication for network access to privileged accounts must be used.

1 rule found Severity: High

Logo

The WebSphere Liberty Server must use DoD-issued/signed certificates.

1 rule found Severity: Medium

Logo

The ICS must be configured to prevent nonprivileged users from executing privileged functions.

1 rule found Severity: High

Logo

Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

1 rule found Severity: High

Logo

MKE must be configured to integrate with an Enterprise Identity Provider.

1 rule found Severity: Medium

Logo

Azure SQL Database must map the PKI-authenticated identity to an associated user account.

1 rule found Severity: Medium

Logo

ONTAP must be configured to use an authentication server to provide multifactor authentication.

1 rule found Severity: High

Logo

The network device, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

1 rule found Severity: High

Logo

The MySQL Database Server 8.0 must map the PKI-authenticated identity to an associated user account.

1 rule found Severity: Medium

Logo

The Riverbed NetProfiler must be configured to authenticate each administrator prior to authorizing privileges based on roles.

1 rule found Severity: High

Logo

Redis Enterprise DBMS must map the PKI-authenticated identity to an associated user account.

1 rule found Severity: Medium

Logo

Automation Controller must be configured to use an enterprise user management system.

1 rule found Severity: Medium

Logo

SLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

1 rule found Severity: Medium

Logo

TOSS must map the authenticated identity to the user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

NixOS must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.

1 rule found Severity: Medium

Logo

AAA Services must be configured to map the authenticated identity to the user account for PKI-based authentication.

1 rule found Severity: Medium

Logo

The macOS system must allow smart card authentication.

2 rules found Severity: Medium

Logo

The ALG providing PKI-based user authentication intermediary services must map authenticated identities to the user account.

1 rule found Severity: Medium

Logo

The application server must map the authenticated identity to the individual user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

The application must map the authenticated identity to the individual user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

Ubuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.

1 rule found Severity: High

Logo

The Central Log Server must map the authenticated identity to the individual user or group account for PKI-based authentication.

1 rule found Severity: Low

Logo

AlmaLinux OS 9 must map the authenticated identity to the user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

The container platform must map the authenticated identity to the individual user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

The Dell OS10 Switch, for PKI-based authentication, must be configured to map validated certificates to unique user accounts.

1 rule found Severity: High

Logo

Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.

1 rule found Severity: Medium

Logo

The operating system must map the authenticated identity to the user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

AOS must be configured to use DOD public key infrastructure (PKI) as multifactor authentication (MFA) for interactive logins.

1 rule found Severity: High

Logo

The HYCU virtual appliance must be configured to use DOD-approved online certificate status protocol (OCSP) responders or certificate revocation lists (CRLs) to validate certificates used for PKI-based authentication.

1 rule found Severity: High

Logo

The Remote Access VPN Gateway must use a separate authentication server (e.g., Lightweight Directory Access Protocol [LDAP], Remote Authentication Dial-In User Service [RADIUS], Terminal Access Controller Access-Control System+ [TACACS+] to perform user authentication.

1 rule found Severity: Medium

Logo

The VPN Gateway must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

1 rule found Severity: Medium

Logo

IBM z/OS must use ICSF or SAF Key Rings for key management.

1 rule found Severity: Medium

Logo

IBM z/OS, for PKI-based authentication, must use the ICSF or ESM for key management.

1 rule found Severity: Medium

Logo

The Mainframe Product must map the authenticated identity to the individual user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

MariaDB must map PKI ID to an associated user account.

1 rule found Severity: Medium

Logo

Oracle Database must map the PKI-authenticated identity to an associated user account.

1 rule found Severity: Medium

Logo

Prisma Cloud Compute must be configured to require local user accounts to use x.509 multifactor authentication.

1 rule found Severity: Medium

Logo

OL 8 must map the authenticated identity to the user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

OpenShift must use FIPS validated LDAP or OpenIDConnect.

1 rule found Severity: High

Logo

RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

RHEL 9 must map the authenticated identity to the user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

2 rules found Severity: Medium

Logo

The VMM must map the authenticated identity to the user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

The UEM server must map the authenticated identity to the individual user or group account for PKI-based authentication.

1 rule found Severity: Medium

Logo

The Remote Access VPN Gateway must use a separate authentication server (e.g., LDAP, RADIUS, TACACS+) to perform user authentication.

1 rule found Severity: Medium

Logo

The VPN Gateway must map the authenticated identity to the user account for PKI-based authentication.

1 rule found Severity: Medium

Logo

Rancher MCM must use a centralized user management solution to support account management functions. For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process.

1 rule found Severity: High

Logo