CCI-000877

Enable PAM

Use Only FIPS 140-2 Validated Ciphers

Use Only FIPS 140-2 Validated MACs

Set kernel parameter 'crypto.fips_enabled' to 1

Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config

Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config

Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config

Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config

The application must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.

The DNS server implementation must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

User credentials which would allow remote access to the system by the Service Processor must be removed from the storage system.

The Infoblox system must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.

The Infoblox system must be configured to employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

Nutanix AOS must implement DoD-approved encryption to protect the confidentiality of remote access sessions.

Oracle WebLogic must employ strong identification and authentication techniques when establishing nonlocal maintenance and diagnostic sessions.

Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The macOS system must implement approved ciphers to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs).

The macOS system must implement approved Key Exchange Algorithms.

The macOS system must implement approved ciphers within the SSH client configuration to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH client configuration.

The macOS system must implement approved Key Exchange Algorithms within the SSH client configuration.

The macOS system must implement approved ciphers within the SSH server configuration to protect the confidentiality of SSH connections.

The macOS system must implement approved Message Authentication Codes (MACs) within the SSH server configuration.

The macOS system must implement approved Key Exchange Algorithms within the SSH server configuration.

The macOS system must disable password authentication for SSH.

The Ubuntu operating system must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.

The container platform must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions.

The operating system must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

SSMC must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

AIX must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

CA-ACF2 defined user accounts must uniquely identify system users.

CA-TSS user accounts must uniquely identify system users.

IBM RACF user accounts must uniquely identify system users.

The Windows Remote Management (WinRM) client must not use Basic authentication.

The Windows Remote Management (WinRM) service must not use Basic authentication.

The Windows Remote Management (WinRM) client must not use Digest authentication.

Windows Server 2019 Windows Remote Management (WinRM) client must not use Basic authentication.

Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication.

Windows Server 2019 Windows Remote Management (WinRM) service must not use Basic authentication.

Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication.

Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication.

Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication.

OL 8 must implement NIST FIPS-validated cryptography for the following: To provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

The Oracle Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections.

The OL 8 SSH server must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms.

The OL 8 SSH server must be configured to use only ciphers employing FIPS 140-2 validated cryptographic algorithms.

Red Hat Enterprise Linux CoreOS (RHCOS) must disable SSHD service.

The SUSE operating system SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.

RHEL 9 must enable the Pluggable Authentication Module (PAM) interface for SSHD.

RHEL 9 must enable FIPS mode.

The boundary protection system (firewall) must be configured to deny network traffic by default and must allow network traffic by exception (i.e., deny all, permit by exception).

The VMM must employ strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.

The Photon operating system must use an OpenSSH server version that does not support protocol 1.

Ubuntu 22.04 LTS must use strong authenticators in establishing nonlocal maintenance and diagnostic sessions.

SLEM 5 must implement DOD-approved encryption to protect the confidentiality of SSH remote connections.

SLEM 5 SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2/140-3 approved cryptographic hash algorithms.

The TOSS operating system must implement DoD-approved encryption in the OpenSSL package.