Check: UBTU-20-010066
Canonical Ubuntu 20.04 LTS STIG:
UBTU-20-010066
(in versions v1 r12 through v1 r1)
Title
The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network. (Cat II impact)
Discussion
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
Check Content
Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation data when unable to access it from the network. Verify that "crl_offline" or "crl_auto" is part of the "cert_policy" definition in "/etc/pam_pkcs11/pam_pkcs11.conf" using the following command: # sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E -- 'crl_auto|crl_offline' cert_policy = ca,signature,ocsp_on,crl_auto; If "cert_policy" is not set to include "crl_auto" or "crl_offline", this is a finding.
Fix Text
Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add or update the "cert_policy" option in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "crl_auto" or "crl_offline". cert_policy = ca,signature,ocsp_on, crl_auto; If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".
Additional Identifiers
Rule ID: SV-238233r880870_rule
Vulnerability ID: V-238233
Group Title: SRG-OS-000384-GPOS-00167
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001991 |
The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |