Capacity
CCI-004062
For password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.
1
Rule
Severity: High
For password-based authentication, AAA Services must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash.
1
Rule
Severity: Medium
The application server must for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.
1
Rule
Severity: High
The application must only store cryptographic representations of passwords.
1
Rule
Severity: Low
The Ubuntu operating system must prohibit password reuse for a minimum of five generations.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must store only encrypted representations of passwords.
1
Rule
Severity: High
If passwords are used for authentication, PostgreSQL must store only hashed, salted representations of passwords.
1
Rule
Severity: High
For accounts using password authentication, the Central Log Server must be configured to store only cryptographic representations of passwords.
2
Rule
Severity: High
The Cisco router must only store cryptographic representations of passwords.
2
Rule
Severity: High
The Cisco switch must only store cryptographic representations of passwords.
1
Rule
Severity: Medium
For container platform using password authentication, the application must store only cryptographic representations of passwords.
1
Rule
Severity: High
The DBMS must for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.
1
Rule
Severity: High
If passwords are used for authentication, the EDB Postgres Advanced Server must store only hashed, salted representations of passwords.
1
Rule
Severity: Medium
The DNS server implementation must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.
2
Rule
Severity: High
The operating system must store only encrypted representations of passwords.
1
Rule
Severity: High
If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.
1
Rule
Severity: High
The WebSphere Liberty Server must store only encrypted representations of user passwords.
1
Rule
Severity: High
The AIX system must have no .netrc files on the system.
1
Rule
Severity: High
ACF2 must use NIST FIPS-validated cryptography to protect passwords in the security database.
1
Rule
Severity: Medium
The Apache Tomcat Manager Web app password must be cryptographically hashed with a DOD-approved algorithm.
1
Rule
Severity: High
IBM z/OS must use NIST FIPS-validated cryptography to protect passwords in the security database.
1
Rule
Severity: High
NIST FIPS-validated cryptography must be used to protect passwords in the security database.
1
Rule
Severity: Medium
IBM Passtickets must be configured to be KeyEncrypted.
1
Rule
Severity: Medium
A unique database name and a unique MySQL user with a secure password must be created for use in Jamf Pro EMM.
1
Rule
Severity: High
The Juniper EX switch must be configured to only store cryptographic representations of passwords.
1
Rule
Severity: High
Secrets in Kubernetes must not be stored as environment variables.
1
Rule
Severity: Medium
The Mainframe Product must store only cryptographically protected passwords.
1
Rule
Severity: High
If passwords are used for authentication, MariaDB must store only hashed, salted representations of passwords.
1
Rule
Severity: Medium
Swarm Secrets or Kubernetes Secrets must be used.
2
Rule
Severity: High
Reversible password encryption must be disabled.
2
Rule
Severity: High
The system must be configured to prevent the storage of the LAN Manager hash of passwords.
1
Rule
Severity: High
Windows Server 2019 reversible password encryption must be disabled.
1
Rule
Severity: High
Windows Server 2019 must be configured to prevent the storage of the LAN Manager hash of passwords.
1
Rule
Severity: High
Windows Server 2022 reversible password encryption must be disabled.
1
Rule
Severity: High
The network device must be configured to store passwords using an approved salted key derivation function, preferably using a keyed hash for password-based authentication.
1
Rule
Severity: High
Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords.
1
Rule
Severity: High
The DBMS must support organizational requirements to enforce password encryption for storage.
1
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords.
1
Rule
Severity: Medium
The Oracle Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords.
1
Rule
Severity: Medium
The Oracle Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
1
Rule
Severity: Medium
OL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
1
Rule
Severity: Medium
OL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
1
Rule
Severity: Medium
The OL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
1
Rule
Severity: Medium
The Oracle Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.
1
Rule
Severity: Medium
If passwords are used for authentication, the MySQL Database Server 8.0 must store only hashed, salted representations of passwords.
1
Rule
Severity: High
The Riverbed NetProfiler must be configured to implement cryptographic mechanisms using a FIPS 140-2/140-3 validated algorithm to protect the confidentiality and integrity of all cryptographic functions.
1
Rule
Severity: Medium
If passwords are used for authentication, Redis Enterprise DBMS must store only hashed, salted representations of passwords.
1
Rule
Severity: Medium
Rancher RKE2 must store only cryptographic representations of passwords.
1
Rule
Severity: Medium
RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm.
1
Rule
Severity: Medium
RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords.
1
Rule
Severity: Medium
The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds.
1
Rule
Severity: High
OpenShift must use FIPS validated LDAP or OpenIDConnect.
1
Rule
Severity: Medium
RHEL 9 password-auth must be configured to use a sufficient number of hashing rounds.
1
Rule
Severity: Medium
RHEL 9 system-auth must be configured to use a sufficient number of hashing rounds.
1
Rule
Severity: Medium
RHEL 9 must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords.
1
Rule
Severity: Medium
RHEL 9 must be configured to use the shadow file to store only encrypted representations of passwords.
1
Rule
Severity: Medium
RHEL 9 must employ FIPS 140-3 approved cryptographic hashing algorithms for all stored passwords.
1
Rule
Severity: Medium
RHEL 9 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-3 approved cryptographic hashing algorithm for system authentication.
4
Rule
Severity: Medium
The SUSE operating system must employ FIPS 140-2-approved cryptographic hashing algorithms for all stored passwords.
2
Rule
Severity: Medium
The SUSE operating system must configure the Linux Pluggable Authentication Modules (PAM) to only store encrypted representations of passwords.
2
Rule
Severity: Medium
Systems must employ cryptographic hashes for passwords using the SHA-2 family of algorithms or FIPS 140-2 approved successors.
1
Rule
Severity: Medium
TOSS must store only encrypted representations of passwords.
1
Rule
Severity: Medium
The VMM must store only encrypted representations of passwords.
1
Rule
Severity: Medium
For site-to-site, VPN Gateway must be configured to store only cryptographic representations of pre-shared Keys (PSKs).
1
Rule
Severity: Medium
The web server must, for password-based authentication, store passwords using an approved salted key derivation function, preferably using a keyed hash.
1
Rule
Severity: High
The vCenter PostgreSQL service must encrypt passwords for user authentication.
1
Rule
Severity: Medium
For UEM server using password authentication, the application must store only cryptographic representations of passwords.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules