800-53|IA-5(2)(d)

Title

PKI-BASED AUTHENTICATION

Description

Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Reference Item Details

Category: IDENTIFICATION AND AUTHENTICATION

Family: IDENTIFICATION AND AUTHENTICATION

Audit Items

View all Reference Audit Items

NamePluginAudit Name
AIX7-00-002110 - AIX must setup SSH daemon to disable revoked public keys.UnixDISA STIG AIX 7.x v3r1
AOSX-14-001060 - The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.UnixDISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-001060 - The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.UnixDISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-001060 - The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities to verify the establishment of protected sessions.UnixDISA STIG Apple macOS 11 v1r8
APPL-11-001060 - The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities to verify the establishment of protected sessions.UnixDISA STIG Apple macOS 11 v1r5
APPL-12-001060 - The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions - PIV credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities to verify the establishment of protected sessions.UnixDISA STIG Apple macOS 12 v1r9
APPL-13-001060 - The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DOD PKI-established certificate authorities for verification of the establishment of protected sessions.UnixDISA STIG Apple macOS 13 v1r4
APPL-14-001060 - The macOS system must set smart card certificate trust to moderate.UnixDISA Apple macOS 14 (Sonoma) STIG v2r2
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
CASA-VN-000130 - The Cisco ASA must be configured to not accept certificates that have been revoked when using PKI for authentication.CiscoDISA STIG Cisco ASA VPN v2r2
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
DKER-EE-001100 - LDAP integration in Docker Enterprise must be configured.UnixDISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r2
F5BI-AP-000231 - The F5 BIG-IP appliance must be configured to deny access when revocation data is unavailable using OCSP.F5DISA F5 BIG-IP Access Policy Manager STIG v2r3
F5BI-LT-000203 - The BIG-IP Core implementation must be configured to deny-by-default all PKI-based authentication to virtual servers supporting path discovery and validation if unable to access revocation information via the network.F5DISA F5 BIG-IP Local Traffic Manager STIG v2r3
JRE8-UX-000150 - Oracle JRE 8 must enable the dialog to enable users to check for revocation - deployment.security.validation.crlUnixDISA STIG Oracle JRE 8 Unix v1r3
JRE8-UX-000150 - Oracle JRE 8 must enable the dialog to enable users to check for revocation - deployment.security.validation.crl.lockedUnixDISA STIG Oracle JRE 8 Unix v1r3
JRE8-UX-000160 - Oracle JRE 8 must lock the option to enable users to check for revocation - deployment.security.revocation.checkUnixDISA STIG Oracle JRE 8 Unix v1r3
JRE8-UX-000160 - Oracle JRE 8 must lock the option to enable users to check for revocation - deployment.security.revocation.check.lockedUnixDISA STIG Oracle JRE 8 Unix v1r3
JRE8-WN-000150 - Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation - deployment.security.validation.crlWindowsDISA STIG Oracle JRE 8 Windows v2r1
JRE8-WN-000150 - Oracle JRE 8 must enable the dialog to enable users to check publisher certificates for revocation - deployment.security.validation.crl.lockedWindowsDISA STIG Oracle JRE 8 Windows v2r1
JRE8-WN-000160 - Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation - deployment.security.revocation.checkWindowsDISA STIG Oracle JRE 8 Windows v2r1
JRE8-WN-000160 - Oracle JRE 8 must lock the option to enable users to check publisher certificates for revocation - eployment.security.revocation.check.lockedWindowsDISA STIG Oracle JRE 8 Windows v2r1
Monterey - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Monterey v1.0.0 - CNSSI 1253
Monterey - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Monterey v1.0.0 - 800-53r4 Moderate
Monterey - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Set Smartcard Certificate Trust to ModerateUnixNIST macOS Monterey v1.0.0 - All Profiles
OL08-00-010090 - OL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.UnixDISA Oracle Linux 8 STIG v2r2
RHEL-09-631010 - RHEL 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.UnixDISA Red Hat Enterprise Linux 9 STIG v2r2
SLES-12-030530 - The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.UnixDISA SLES 12 STIG v3r1
SLES-15-010170 - The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.UnixDISA SLES 15 STIG v2r2
SYMP-AG-000420 - Symantec ProxySG providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.BlueCoatDISA Symantec ProxySG Benchmark ALG v1r3
UBTU-16-030830 - The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.UnixDISA STIG Ubuntu 16.04 LTS v2r3
UBTU-18-010425 - The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.UnixDISA STIG Ubuntu 18.04 LTS v2r15
UBTU-20-010066 - The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.UnixDISA STIG Ubuntu 20.04 LTS v2r1
UBTU-22-612035 - Ubuntu 22.04 LTS for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.UnixDISA STIG Canonical Ubuntu 22.04 LTS v2r2
VCSA-70-000080 - The vCenter Server must enable revocation checking for certificate-based authentication.VMwareDISA STIG VMware vSphere 7.0 vCenter v1r3
WDNS-IA-000011 - The Windows 2012 DNS Server must implement a local cache of revocation data for PKIauthentication in the event revocation information via the network is not accessible.WindowsDISA Microsoft Windows 2012 Server DNS STIG v2r7