800-53|IA-5(2)

Title

PKI-BASED AUTHENTICATION

Description

The information system, for PKI-based authentication:

Supplemental

Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: IA-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: AUTHENTICATOR MANAGEMENT

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.3.11.16 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.14.1 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'	Windows	CIS Windows 8 L1 v1.0.0
1.1.25 Ensure that the --service-account-key-file argument is set as appropriate	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-file	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-file	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.5.1 Ensure that the --cert-file and --key-file arguments are set as appropriate - cert-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.5.1 Ensure that the --cert-file and --key-file arguments are set as appropriate - key-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.5.2 Ensure that the --client-cert-auth argument is set to true	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.5.2 Ensure that the --client-cert-auth argument is set to true	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.5.2 Ensure that the --client-cert-auth argument is set to true	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.5.3 Ensure that the --auto-tls argument is not set to true	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.5.3 Ensure that the --auto-tls argument is not set to true	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.5.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate - peer-cert-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.5.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate - peer-key-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.5.6 Ensure that the --peer-auto-tls argument is not set to true	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
2.1.11 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
2.1.11 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-file	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
2.1.12 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
2.1.12 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
2.1.12 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-file	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
2.1.12 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
3.1.19 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
3.1.19 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
3.1.19 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
3.1.19 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-file	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
4.6 Set OCSP Response Policy	Windows	CIS Mozilla Firefox 38 ESR Windows L2 v1.0.0
4.6 Set OCSP Response Policy	Unix	CIS Mozilla Firefox 38 ESR Linux L2 v1.0.0
5.2 Set 'Check for server certificate revocation' to 'Enabled'	Windows	CIS IE 10 v1.1.0
5.6 Enable OCSP and CRL certificate checking - CRLStyle	Unix	CIS Apple OSX 10.11 El Capitan L2 v1.1.0
5.6 Enable OCSP and CRL certificate checking - CRLStyle	Unix	CIS Apple OSX 10.10 Yosemite L2 v1.2.0
5.6 Enable OCSP and CRL certificate checking - OCSPStyle	Unix	CIS Apple OSX 10.10 Yosemite L2 v1.2.0
5.6 Enable OCSP and CRL certificate checking - OCSPStyle	Unix	CIS Apple OSX 10.11 El Capitan L2 v1.1.0
5.25 sqlnet.ora - 'ssl_cert_revocation = REQUIRED'	Windows	CIS v1.1.0 Oracle 11g OS Windows Level 2
6.1 Setup Client-cert Authentication	Unix	CIS Apache Tomcat 7 L2 v1.1.0
7.9 Ensure CA certificates are rotated as appropriate	Unix	CIS Docker Community Edition v1.1.0 L2 Docker
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.	Unix	DISA STIG AIX 7.x v3r1
AIX7-00-002110 - AIX must setup SSH daemon to disable revoked public keys.	Unix	DISA STIG AIX 7.x v3r1
AIX7-00-003004 - AIX SSH private host key files must have mode 0600 or less permissive.	Unix	DISA STIG AIX 7.x v3r1
AOSX-13-000750 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-13-067035 - The macOS system must enable certificate for smartcards.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-14-003002 - The macOS system must enable certificate for smartcards.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-14-003005 - The macOS system must map the authenticated identity to the user or group account for PKI-based authentication.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 11 v1r8

Detections

Analytics