An error occurred:

Check: APPL-11-001060

Apple macOS 11 (Big Sur) STIG: APPL-11-001060 (in versions v1 r8 through v1 r1)

Title

The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities to verify the establishment of protected sessions. (Cat II impact)

Discussion

The use of PIV credentials facilitates standardization and reduces the risk of unauthorized access. Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). Untrusted Certificate Authorities (CA) can issue certificates, but they may be issued by organizations or individuals that seek to compromise DoD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DoD-approved CA, trust of this CA has not been established. DoD has mandated the use of the CAC to support identity management and personal authentication for systems covered under Homeland Security Presidential Directive (HSPD) 12, as well as making the CAC a primary component of layered protection for national security systems. The DoD will only accept PKI-certificates obtained from a DoD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates. Satisfies: SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162, SRG-OS-000384-GPOS-00167, SRG-OS-000403-GPOS-00182, SRG-OS-000067-GPOS-00035

Check Content

To verify that certificate checks are occurring, run the following command. /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep checkCertificateTrust If the output is null or the value returned, "checkCertificateTrust = 1", is not equal to (1) or greater, this is a finding.

Fix Text

This setting is enforced using the "Smart Card Policy" configuration profile. Note: Before applying the "Smart Card Policy", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.

Additional Identifiers

Rule ID: SV-230785r855686_rule

Vulnerability ID: V-230785

Group Title: SRG-OS-000376-GPOS-00161

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000186

The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.
CCI-001953

The information system accepts Personal Identity Verification (PIV) credentials.
CCI-001954

The information system electronically verifies Personal Identity Verification (PIV) credentials.
CCI-001991

The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
CCI-002470

The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-2 (12)

Acceptance Of Piv Credentials
IA-5 (2)

Pki-Based Authentication
SC-23 (5)

Allowed Certificate Authorities