800-53|IA-5(2)

Title

PKI-BASED AUTHENTICATION

Description

The information system, for PKI-based authentication:

Supplemental

Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing.

Reference Item Details

Related: IA-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: AUTHENTICATOR MANAGEMENT

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.1.2.1.55 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'WindowsCIS Windows 2003 MS v3.1.0
1.1.1.2.1.55 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'WindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.62 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing' or betterWindowsCIS Windows 2003 DC v3.1.0
1.1.1.2.1.62 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing' or betterWindowsCIS Windows 2003 MS v3.1.0
1.1.3.11.16 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing'WindowsCIS Windows 8 L1 v1.0.0
1.1.3.14.1 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'WindowsCIS Windows 8 L1 v1.0.0
1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.21 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.22 Ensure that the --kubelet-certificate-authority argument is set as appropriateUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-certificateUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-certificateUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-keyUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.22 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-keyUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.23 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-certificateUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.23 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate - kubelet-client-keyUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.25 Ensure that the --service-account-key-file argument is set as appropriateUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.25 Ensure that the --service-account-key-file argument is set as appropriateUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.25 Ensure that the --service-account-key-file argument is set as appropriateUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - certfileUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-certfileUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-certfileUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-keyfileUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-keyfileUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.26 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - keyfileUnixCIS Kubernetes 1.13 Benchmark v1.4.1 L1
1.1.26 Ensure that the --service-account-key-file argument is set as appropriateUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.27 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-certfileUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.27 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate - etcd-keyfileUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-fileUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-fileUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-fileUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.28 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-fileUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.29 Ensure that the --client-ca-file argument is set as appropriateUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.29 Ensure that the --client-ca-file argument is set as appropriateUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.1.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-cert-fileUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.29 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - tls-private-key-fileUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.30 Ensure that the --client-ca-file argument is set as appropriateUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.30 Ensure that the --etcd-cafile argument is set as appropriateUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.1.31 Ensure that the --etcd-cafile argument is set as appropriateUnixCIS Kubernetes 1.7.0 Benchmark v1.1.0 L1
1.1.31 Ensure that the --etcd-cafile argument is set as appropriateUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.2.17.8 Retrieving CRLs: Level I Enabled: When on-line always retrieve the CRL.WindowsCIS MS Office 2007 v1.1.0 L1
1.2.17.9. Missing CRLs: Level II Enabled: error.WindowsCIS MS Office 2007 v1.1.0 L2
1.2.27 Ensure that the --service-account-key-file argument is set as appropriateUnixCIS Kubernetes v1.20 Benchmark v1.0.0 L1 Master
1.11 Ensure 'Whether online OCSP/CRL checks are performed' is set to 'Disabled'WindowsCIS Google Chrome L1 v2.0.0
1.13.2.1.2 Ensure 'Missing CRLs' is set to Enabled:ErrorWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.1.2 Ensure 'Missing CRLs' is set to Enabled:ErrorWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.1.3 Ensure 'Missing Root Certificates' is set to Enabled:WarningWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.13.2.1.3 Ensure 'Missing Root Certificates' is set to Enabled:WarningWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.1.5 Ensure 'Retrieving CRLs (Certificate Revocation Lists)' is set to Enabled:When online always retrieve the CRLWindowsCIS Microsoft Office Outlook 2016 v1.1.0 Level 1
1.13.2.1.5 Ensure 'Retrieving CRLs (Certificate Revocation Lists)' is set to Enabled:When online always retrieve the CRLWindowsCIS Microsoft Office Outlook 2013 v1.1.0 Level 1
1.17 Ensure 'Enable online OCSP/CRL checks' is set to 'Disabled'WindowsCIS Google Chrome L1 v3.0.0