Identity & Authentication Auditor
Reports the 3.5.3 SPRS tier (-5, -3, or 0) per host, plus every credential weakness Mimikatz lives on.
The problem
3.5.3 is the highest-impact identity control under the DoD Assessment Methodology, 5 points with partial credit. No MFA at all costs the full 5. MFA on remote access only, the most common contractor configuration, costs 3. Full coverage of local and network access for both privileged and non-privileged accounts costs 0. The contractor's actual configuration is rarely the one they believe they have.
Credential storage is the second surface. MD5-crypt password hashes still appear in /etc/shadow on systems that have not had a fresh hash since 2010. WDigest authentication on older Windows stores plaintext-equivalent credentials in memory, a textbook Mimikatz extraction target. LM hash storage is trivially crackable on modern hardware. Each is a 3.5.10 or 3.13.11 finding the contractor is rarely auditing for.
Authenticator management is the third. SSH keys with no comment cannot be tied to an owner. Keys older than two years should be rotated. Certificates expiring within 30 days are deliverability issues now and audit issues at the next scan. Plaintext credentials in .netrc, .bash_history, or scheduled task XML are 3.5.10 violations sitting on disk that the contractor has never reviewed for at all.
What CMMC requires
NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.
Verifies MFA is enforced for local and network access to privileged accounts and network access to non-privileged accounts. Reports the partial-credit SPRS tier the configuration earns.
Read in NIST 800-171 r2↗Audits password hash algorithms in /etc/shadow, plaintext credential storage in .netrc and bash_history, and LM/WDigest behavior on Windows.
Read in NIST 800-171 r2↗Inspects authentication feedback configuration where applicable,terminal echo, login banners, error messages that disclose authenticator state.
Read in NIST 800-171 r2↗Audits SSH key types, sizes, and ages plus certificate expiration windows under the cryptographic key management requirement.
Read in NIST 800-171 r2↗Detects WDigest and LM hash storage as non-FIPS cryptographic weaknesses under the FIPS-validated cryptography control.
Read in NIST 800-171 r2↗How it works
Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.
Inspects /etc/pam.d/sshd, sudo, login, and authorization for pam_google_authenticator, pam_duo, pam_okta, pam_radius_auth, and pam_u2f modules. Calculates the SPRS tier based on which configs include MFA: sshd-only is −3, sshd plus sudo plus login is 0. Parses /etc/shadow hash prefixes ($1$ MD5-crypt CRITICAL, $5$ SHA-256-crypt HIGH, $6$ SHA-512 MEDIUM, $2b$/$2y$ bcrypt PASS). Inspects sshd_config TrustedUserCAKeys for SSH certificate auth, and greps .netrc and .bash_history for credential patterns plus authorized_keys comments for date-based age signals.
Detects Duo Authentication for Windows Logon (HKLM\SOFTWARE\Duo Security\DuoCredentialProvider), Okta Verify, Windows Hello for Business, Azure MFA NPS extension, and smart card requirement (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=1). Checks NoLMHash=1 (LM hashes not stored) and WDigest UseLogonCredential=0 (no plaintext credentials in memory). Audits LocalMachine\My certificate store for expired or near-expiring certs and counts Windows Credential Manager entries via cmdkey /list.
Checks /etc/pam.d/authorization for MFA modules and runs sc_auth identities to enumerate paired smart cards. Reads com.apple.security.smartcard.checkCertificateTrust for trust level and detects Jamf Connect or Okta Device Trust via MDM markers, so MDM-enforced identity controls do not get missed in the audit.
What it finds
Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.
- CRITICALNo MFA configured anywhereNo PAM MFA module loaded, no Duo/Okta credential provider, no Windows Hello. 3.5.3 −5 SPRS deduction tier.
- CRITICALMD5-crypt password hash in /etc/shadowAccount uses $1$ hash. MD5-crypt is not FIPS-approved and is computationally cheap to crack at modern hardware speeds.
- CRITICALWDigest UseLogonCredential = 1Plaintext-equivalent credentials are stored in process memory. Standard Mimikatz extraction target,credential theft is straightforward post-compromise.
- HIGHMFA on remote access onlyPAM MFA module in /etc/pam.d/sshd but absent from /etc/pam.d/sudo and /etc/pam.d/login. 3.5.3 −3 SPRS deduction tier,partial credit only.
- HIGHLM hashes stored (NoLMHash absent or 0)LM hashes for all local accounts are stored in SAM. Trivially crackable,the protocol is from 1987 and the cryptography reflects it.
- HIGHCertificate expiring in under 30 daysTLS or SSH certificate in active use expires in fewer than 30 days. Service interruption imminent unless rotated.
- MEDIUMSSH key older than 2 yearsauthorized_keys entry has a comment with a date older than 2 years, or no comment at all. Rotation is overdue or ownership is undocumented.
3.5.3 is the highest-individual-impact control in this family, 5 points with partial credit. The configuration tier this agent reports drives the SPRS calculation directly: −5 for no MFA, −3 for remote-only, 0 for full coverage. 3.5.10 weak hash storage is 3 points. Combined with 3.13.11 (5 points) when WDigest or LM hashes are present, identity findings can produce 11+ SPRS points of exposure on a single endpoint, and the configuration tier the contractor believes they are at is almost never the one the agent measures.
How it hooks into the platform
The platform inspects PAM, credential providers, and certificate stores on every host during auto-discovery and re-runs on a cadence aligned to identity-system change frequency. You configure whether PAM contents, hash prefixes, and certificate metadata stay on-prem or sync up. The measured 3.5.3 SPRS tier (-5, -3, or 0) drafts the SSP's identification and authentication narrative directly. Findings cite specific PAM files, registry keys, and certificate paths and map across 3.5.3, 3.5.10, 3.13.10, and 3.13.11. New accounts that bypass MFA and certs approaching expiry alert before the next assessment.
How we know it's working
Acceptance criteria from the engineering spec,what the agent must do to ship.
- Detects Duo, Google Authenticator, YubiKey, RADIUS, and Okta on Linux
- Detects Duo WinLogon, Windows Hello, and smart card requirement on Windows
- Identifies MD5-crypt password hashes from /etc/shadow per account
- Treats absent WDigest keys as enabled on older Windows builds
- Parses certificate expiry windows from both PEM and DER stores
- Avoids false positives on legitimate commands when scanning bash_history
- Returns the measured 3.5.3 SPRS tier inline with every host result
Run this agent against your environment.
Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.