800-53|IA-5(2)

Title

PKI-BASED AUTHENTICATION

Description

The information system, for PKI-based authentication:

Supplemental

Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: IA-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: AUTHENTICATOR MANAGEMENT

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.3.11.16 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing'	Windows	CIS Windows 8 L1 v1.0.0
1.1.3.14.1 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'	Windows	CIS Windows 8 L1 v1.0.0
1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriate	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriate	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.22 Ensure that the --kubelet-certificate-authority argument is set as appropriate	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-certificate	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-certificate	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-key	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-key	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.23 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-certificate	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.23 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-key	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.25 Ensure that the --service-account-key-file argument is set as appropriate	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.25 Ensure that the --service-account-key-file argument is set as appropriate	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.25 Ensure that the --service-account-key-file argument is set as appropriate	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - certfile	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-certfile	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-certfile	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-keyfile	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-keyfile	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - keyfile	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.26 Ensure that the --service-account-key-file argument is set as appropriate	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.27 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-certfile	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.27 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-keyfile	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-file	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-file	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.29 Ensure that the --client-ca-file argument is set as appropriate	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.29 Ensure that the --client-ca-file argument is set as appropriate	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-file	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.30 Ensure that the --client-ca-file argument is set as appropriate	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.30 Ensure that the --etcd-cafile argument is set as appropriate	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.31 Ensure that the --etcd-cafile argument is set as appropriate	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.31 Ensure that the --etcd-cafile argument is set as appropriate	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate	Unix	CIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.3.5 Ensure that the --root-ca-file argument is set as appropriate	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.3.5 Ensure that the --root-ca-file argument is set as appropriate	Unix	CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.3.5 Ensure that the --root-ca-file argument is set as appropriate	Unix	CIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.5.1 Ensure that the --cert-file and --key-file arguments are set as appropriate - ca-file	Unix	CIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.13.2.1.2 Ensure 'Missing CRLs' is set to Enabled:Error	Windows	CIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.1.2 Ensure 'Missing CRLs' is set to Enabled:Error	Windows	CIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.1.3 Ensure 'Missing Root Certificates' is set to Enabled:Warning	Windows	CIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.1.3 Ensure 'Missing Root Certificates' is set to Enabled:Warning	Windows	CIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.1.5 Ensure 'Retrieving CRLs (Certificate Revocation Lists)' is set to Enabled:When online always retrieve the CRL	Windows	CIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.1.5 Ensure 'Retrieving CRLs (Certificate Revocation Lists)' is set to Enabled:When online always retrieve the CRL	Windows	CIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.17 Ensure 'Enable online OCSP/CRL checks' is set to 'Disabled'	Windows	CIS Google Chrome L1 v3.0.0

Detections

Analytics