Title

For PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. (Cat II impact)

Discussion

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Check Content

Verify NixOS, for PKI-based authentication, uses local revocation data when unable to access the network to obtain it remotely with the following command: $ grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca,signature,ocsp_on, crl_auto; If the cert_policy does not contain the options in the example output, this is a finding.

Fix Text

Configure the NixOS operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: security.pam.p11.enable = true; environment.etc."pam_pkcs11/pam_pkcs11.conf".text = '' cert_policy = ca,signature,ocsp_on, crl_auto; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268179r1039545_rule

Vulnerability ID: V-268179

Group Title: SRG-OS-000384-GPOS-00167

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.