CCI-001954

Enable the GNOME3 Login Smartcard Authentication

Install the opensc Package For Multifactor Authentication

Install the pcsc-lite package

Install Smart Card Packages For Multifactor Authentication

Enable the pcscd Service

Configure Smart Card Certificate Status Checking

Configure PAM in SSSD Services

Enable Smartcards in SSSD

Certificate status checking in SSSD

Enable Smart Card Logins in PAM

Compliance Guardian must use multifactor authentication for network access to privileged accounts.

The application server must electronically verify Personal Identity Verification (PIV) credentials for access to the management interface.

The application must electronically verify Personal Identity Verification (PIV) credentials.

The Central Log Server must be configured to electronically verify the DoD CAC credential.

Citrix Receiver must accept Personal Identity Verification (PIV) credentials.

Citrix StoreFront server must accept Personal Identity Verification (PIV) credentials.

LDAP integration in Docker Enterprise must be configured.

SAML integration must be enabled in Docker Enterprise.

The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used.

WebGUI access to the MQ Appliance network device must electronically verify Personal Identity Verification (PIV) credentials.

The Mainframe Product must electronically verify Personal Identity Verification (PIV) credentials.

Nutanix AOS must accept Personal Identity Verification (PIV) credentials to access the management interface.

Innoslate must use multifactor authentication for network access to privileged and non-privileged accounts.

Common Access Card (CAC)-based authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The Tanium application must electronically verify Personal Identity Verification (PIV) credentials.

Multi-factor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.

The VPN Gateway must electronically verify the Common Access Card (CAC) credential.

Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.

The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.

The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.

The macOS system must set smart card certificate trust to moderate.

The Ubuntu operating system must implement smart card logins for multifactor authentication for access to accounts.

The Ubuntu operating system must implement certificate status checking for multifactor authentication.

The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials.

The operating system must electronically verify Personal Identity Verification (PIV) credentials.

The AIX operating system must accept and verify Personal Identity Verification (PIV) credentials.

The ICS must be configured to use multifactor authentication (e.g., DOD PKI) for network access to nonprivileged accounts.

Prevent ignoring certificate errors option must be enabled.

The Oracle Linux operating system must have the required packages for multifactor authentication installed.

The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

The Oracle Linux operating system must implement certificate status checking for PKI authentication.

OL 8 must implement certificate status checking for multifactor authentication.

Automation Controller must be configured to use an enterprise user management system.

The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.

The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed.

The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication.

RHEL 9 must have the openssl-pkcs11 package installed.

The SUSE operating system must have the packages required for multifactor authentication to be installed.

The SUSE operating system must implement certificate status checking for multifactor authentication.

The SUSE operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

RHEL 9 must implement certificate status checking for multifactor authentication.

The VMM must electronically verify Personal Identity Verification (PIV) credentials.

The vCenter Server must enable revocation checking for certificate-based authentication.

Ubuntu 22.04 LTS must electronically verify personal identity verification (PIV) credentials.

The cloud service offering (CSO) must be configured to use DOD public key infrastructure (PKI) to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).

Dragos Platform must accept the DOD CAC or other PKI credential for identity management and personal authentication.

SLEM 5 must have the packages required for multifactor authentication to be installed.

SLEM 5 must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM).

SLEM 5 must implement certificate status checking for multifactor authentication.

Multifactor authentication must be enabled and enforced on the Tanium Server for all access and all accounts.