Check: AOSX-14-003002
Apple OS X 10.14 (Mojave) STIG:
AOSX-14-003002
(in versions v2 r6 through v1 r1)
Title
The macOS system must enable certificate for smartcards. (Cat II impact)
Discussion
To prevent untrusted certificates the certificates on a smartcard card must be valid in these ways: its issuer is system-trusted, the certificate is not expired, its "valid-after" date is in the past, and it passes CRL and OCSP checking.
Check Content
To view the setting for the smartcard certification configuration, run the following command: sudo /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep checkCertificateTrust If the return is not "checkCertificateTrust = 1;" with the numeral equal to 1 or greater, this is a finding.
Fix Text
This setting is enforced using the "Smart Card Policy" configuration profile. Note: Before applying the "Smart Card Policy", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.
Additional Identifiers
Rule ID: SV-209614r610285_rule
Vulnerability ID: V-209614
Group Title: SRG-OS-000067-GPOS-00035
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000186 |
The information system, for PKI-based authentication, enforces authorized access to the corresponding private key. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |