CCI|CCI-000185

Title

For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Reference Item Details

Reference: CCI - DISA Control Correlation Identifier

Category: 2024

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.11 OL08-00-010090	Unix	CIS Oracle Linux 8 STIG v1.0.0 CAT II
1.51 APPL-14-001060	Unix	CIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT II
1.92 UBTU-24-400360	Unix	CIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.94 UBTU-24-400375	Unix	CIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.106 UBTU-22-612030	Unix	CIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT II
1.173 WN22-DC-000280	Windows	CIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.182 WN10-PK-000005	Windows	CIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.183 WN10-PK-000010	Windows	CIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.184 WN10-PK-000015	Windows	CIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.185 WN10-PK-000020	Windows	CIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.205 WN22-PK-000010	Windows	CIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.205 WN22-PK-000010	Windows	CIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.206 WN22-PK-000020	Windows	CIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.206 WN22-PK-000020	Windows	CIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.207 WN22-PK-000030	Windows	CIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.207 WN22-PK-000030	Windows	CIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.348 RHEL-09-631010	Unix	CIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
AIX7-00-001006 - If the AIX system is using LDAP for authentication or account information, the LDAP SSL, or TLS connection must require the server provide a certificate and this certificate must have a valid path to a trusted CA.	Unix	DISA STIG AIX 7.x v3r1
ALMA-09-039070 - AlmaLinux OS 9, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.	Unix	DISA Cloud Linux AlmaLinux OS 9 STIG v1r5
AOSX-13-000750 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.13 v2r5
AOSX-14-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.14 v2r6
AOSX-15-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple Mac OSX 10.15 v1r10
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 11 v1r8
APPL-11-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 11 v1r5
APPL-12-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 12 v1r9
APPL-13-003001 - The macOS system must issue or obtain public key certificates under an appropriate certificate policy from an approved service provider.	Unix	DISA STIG Apple macOS 13 v1r5
APPL-14-001060 - The macOS system must set smart card certificate trust to moderate.	Unix	DISA Apple macOS 14 Sonoma STIG v2r4
APPL-15-001060 - The macOS system must set smart card certificate trust to moderate.	Unix	DISA Apple macOS 15 Sequoia STIG v1r6
APPL-26-001060 - The macOS system must set smart card certificate trust to moderate.	Unix	DISA Apple macOS 26 Tahoe STIG v1r1
APPNET0031 - Digital signatures assigned to strongly named assemblies must be verified.	Windows	DISA Microsoft DotNet Framework 4.0 STIG v2r7
APPNET0046 - The Trust Providers Software Publishing State must be set to 0x23C00.	Windows	DISA Microsoft DotNet Framework 4.0 STIG v2r7
APPNET0048 - Developer certificates used with the .NET Publisher Membership Condition must be approved by the ISSO.	Windows	DISA Microsoft DotNet Framework 4.0 STIG v2r7
APPNET0063 - .NET must be configured to validate strong names on full-trust assemblies.	Windows	DISA Microsoft DotNet Framework 4.0 STIG v2r7
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r6
AS24-U2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware
AS24-W1-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W1-000380 - The Apache web server must perform RFC 5280-compliant certification path validation.	Windows	DISA STIG Apache Server 2.4 Windows Server v3r3
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyClient	Windows	DISA Apache Server 2.4 Windows Site STIG v2r2
AS24-W2-000380 - The Apache web server must perform RFC 5280-compliant certification path validation - SSLVerifyDepth	Windows	DISA Apache Server 2.4 Windows Site STIG v2r2
AZLX-23-001310 - Amazon Linux 2023, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.	Unix	DISA Amazon Linux 2023 STIG v1r2
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Issue or Obtain Public Key Certificates from an Approved Service Provider	Unix	NIST macOS Big Sur v1.4.0 - CNSSI 1253
CASA-VN-000120 - The Cisco ASA must be configured to validate certificates via a trustpoint that identifies a DoD or DoD-approved certificate authority.	Cisco	DISA STIG Cisco ASA VPN v2r2
CASA-VN-000730 - The Cisco ASA VPN remote access server must be configured to validate certificates used for Transport Layer Security (TLS) functions by performing RFC 5280-compliant certification path validation.	Cisco	DISA STIG Cisco ASA VPN v2r2
CD12-00-007000 - PostgreSQL, when utilizing PKI-based authentication, must validate certificates by performing RFC 5280-compliant certification path validation.	Unix	DISA STIG Crunchy Data PostgreSQL OS v3r1
CNTR-R2-000010 - Rancher RKE2 must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules.	Unix	DISA Rancher Government Solutions RKE2 STIG v2r5

Detections

Analytics

CCI|CCI-000185

Title

Reference Item Details

Audit Items