Capacity
CCI-000196
The information system, for password-based authentication, stores only cryptographically-protected passwords.
20
Rule
Severity: Medium
Set PAM''s Password Hashing Algorithm
28
Rule
Severity: Medium
Verify No netrc Files Exist
4
Rule
Severity: Medium
Ensure system-auth and password-auth files are symbolic links pointing
to system-auth-local and password-auth-local
14
Rule
Severity: Medium
Set Password Hashing Algorithm in /etc/libuser.conf
16
Rule
Severity: Medium
Set Password Hashing Algorithm in /etc/login.defs
13
Rule
Severity: Medium
Set PAM''s Password Hashing Algorithm - password-auth
14
Rule
Severity: Medium
Set number of Password Hashing Rounds - password-auth
14
Rule
Severity: Medium
Set number of Password Hashing Rounds - system-auth
8
Rule
Severity: Medium
Set Password Hashing Rounds in /etc/login.defs
10
Rule
Severity: Medium
Verify All Account Password Hashes are Shadowed with SHA512
1
Rule
Severity: High
AAA Services must be configured to encrypt locally stored credentials using a FIPS-validated cryptographic module.
1
Rule
Severity: Medium
Compliance Guardian must provide automated mechanisms for supporting account management functions.
1
Rule
Severity: Medium
The application server must store only encrypted representations of passwords.
2
Rule
Severity: High
The application must only store cryptographic representations of passwords.
1
Rule
Severity: High
For accounts using password authentication, the Central Log Server must be configured to store only cryptographic representations of passwords.
2
Rule
Severity: High
The WebSphere Liberty Server must store only encrypted representations of user passwords.
1
Rule
Severity: High
CA VM:Secure product Password Encryption (PEF) option must be properly configured to store and transmit cryptographically-protected passwords.
2
Rule
Severity: Medium
The JBoss Password Vault must be used for storing passwords or other sensitive configuration information.
2
Rule
Severity: Medium
JBoss KeyStore and Truststore passwords must not be stored in clear text.
2
Rule
Severity: Medium
The Apache Tomcat Manager Web app password must be cryptographically hashed with a DoD approved algorithm.
2
Rule
Severity: Medium
A unique database name and a unique MySQL user with a secure password must be created for use in Jamf Pro EMM.
1
Rule
Severity: Medium
The Mainframe Product must store only cryptographically protected passwords.
1
Rule
Severity: High
The network device must only store cryptographic representations of passwords.
1
Rule
Severity: High
Nutanix AOS must store only encrypted representations of passwords.
2
Rule
Severity: High
The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.
1
Rule
Severity: Medium
For UEM server using password authentication, the application must store only cryptographic representations of passwords.
1
Rule
Severity: Medium
For site-to-site, VPN Gateway must be configured to store only cryptographic representations of pre-shared Keys (PSKs).
1
Rule
Severity: Medium
The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
2
Rule
Severity: Low
The Ubuntu operating system must prohibit password reuse for a minimum of five generations.
4
Rule
Severity: High
If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords.
3
Rule
Severity: High
The Cisco router must only store cryptographic representations of passwords.
3
Rule
Severity: High
The Cisco switch must only store cryptographic representations of passwords.
1
Rule
Severity: Medium
For container platform using password authentication, the application must store only cryptographic representations of passwords.
3
Rule
Severity: High
If passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.
1
Rule
Severity: High
If passwords are used for authentication, the DBMS must store only hashed, salted representations of passwords.
4
Rule
Severity: High
The operating system must store only encrypted representations of passwords.
2
Rule
Severity: High
If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
2
Rule
Severity: High
The AIX system must have no .netrc files on the system.
1
Rule
Severity: High
IBM z/OS must use NIST FIPS-validated cryptography to protect passwords in the security database.
1
Rule
Severity: High
ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.
1
Rule
Severity: High
NIST FIPS-validated cryptography must be used to protect passwords in the security database.
1
Rule
Severity: Medium
IBM Passtickets must be configured to be KeyEncrypted.
2
Rule
Severity: High
The Juniper EX switch must be configured to only store cryptographic representations of passwords.
2
Rule
Severity: High
Secrets in Kubernetes must not be stored as environment variables.
2
Rule
Severity: High
If passwords are used for authentication, MariaDB must store only hashed, salted representations of passwords.
3
Rule
Severity: High
If passwords are used for authentication, MongoDB must store only hashed, salted representations of passwords.
6
Rule
Severity: High
Reversible password encryption must be disabled.
6
Rule
Severity: High
The system must be configured to prevent the storage of the LAN Manager hash of passwords.
2
Rule
Severity: High
Windows Server 2016 reversible password encryption must be disabled.
2
Rule
Severity: High
Windows Server 2016 must be configured to prevent the storage of the LAN Manager hash of passwords.
3
Rule
Severity: High
Windows Server 2019 reversible password encryption must be disabled.
3
Rule
Severity: High
Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.
3
Rule
Severity: High
Windows Server 2022 reversible password encryption must be disabled.
3
Rule
Severity: High
Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords.
1
Rule
Severity: Medium
The DBMS must support organizational requirements to enforce password encryption for storage.
2
Rule
Severity: High
The DBMS must support organizational requirements to enforce password encryption for storage.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
2
Rule
Severity: Medium
The Oracle Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.
2
Rule
Severity: Medium
OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
2
Rule
Severity: Medium
OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
2
Rule
Severity: Medium
The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
2
Rule
Severity: Medium
If passwords are used for authentication, the MySQL Database Server 8.0 must store only hashed, salted representations of passwords.
2
Rule
Severity: Medium
If passwords are used for authentication, Redis Enterprise DBMS must store only hashed, salted representations of passwords.
2
Rule
Severity: Medium
Rancher RKE2 must store only cryptographic representations of passwords.
2
Rule
Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
2
Rule
Severity: Medium
RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
2
Rule
Severity: Medium
RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
2
Rule
Severity: Medium
The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
1
Rule
Severity: Medium
The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.
8
Rule
Severity: Medium
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
4
Rule
Severity: Medium
The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
2
Rule
Severity: Medium
RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.
2
Rule
Severity: Medium
RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.
2
Rule
Severity: Medium
RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
2
Rule
Severity: Medium
RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.
1
Rule
Severity: Medium
RHEL 9 shadow password suite must be configured to use a sufficient number of hashing rounds.
2
Rule
Severity: Medium
RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
2
Rule
Severity: Medium
RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
2
Rule
Severity: Medium
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
1
Rule
Severity: Medium
The VMM must store only encrypted representations of passwords.
2
Rule
Severity: Medium
The Photon operating system must store only encrypted representations of passwords.
1
Rule
Severity: Medium
The vPostgres database must use "md5" for authentication.
3
Rule
Severity: High
The vCenter PostgreSQL service must encrypt passwords for user authentication.
1
Rule
Severity: Medium
The BIG-IP appliance must only store encrypted representations of passwords.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must store only encrypted representations of passwords.
1
Rule
Severity: Medium
For accounts using password or PINs for authentication, the Enterprise Voice, Video, and Messaging Endpoint must store only cryptographic representations of passwords.
1
Rule
Severity: Medium
When using locally stored user accounts, the Enterprise Voice, Video, and Messaging Session Manager must store only cryptographic representations of passwords.
1
Rule
Severity: Medium
Swarm Secrets or Kubernetes Secrets must be used.
1
Rule
Severity: Medium
SLEM 5 must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
1
Rule
Severity: High
SLEM 5 must employ FIPS 140-2/140-3-approved cryptographic hashing algorithms for system authentication.
1
Rule
Severity: High
SLEM 5 shadow password suite must be configured to use a sufficient number of hashing rounds.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules