UBTU-22-612035 - Ubuntu 22.04 LTS for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.

Information

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Solution

Configure Ubuntu 22.04 LTS, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely.

Add or update the 'cert_policy' option in '/etc/pam_pkcs11/pam_pkcs11.conf' to include 'crl_auto' or 'crl_offline'.

cert_policy = ca,signature,ocsp_on, crl_auto;

If the system is missing an '/etc/pam_pkcs11/' directory and an '/etc/pam_pkcs11/pam_pkcs11.conf', find an example to copy into place and modify accordingly at '/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_22-04_LTS_V2R2_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(d), CAT|II, CCI|CCI-001991, CCI|CCI-004068, Rule-ID|SV-260578r1015021_rule, STIG-ID|UBTU-22-612035, Vuln-ID|V-260578

Plugin: Unix

Control ID: d33356667e19ee0bbf14b16e115263dfdfd2ff086607eb96f87765fba2b596b1