UBTU-20-010066 - The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.

Information

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Solution

Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely.

Add or update the 'cert_policy' option in '/etc/pam_pkcs11/pam_pkcs11.conf' to include 'crl_auto' or 'crl_offline'.

cert_policy = ca,signature,ocsp_on, crl_auto;

If the system is missing an '/etc/pam_pkcs11/' directory and an '/etc/pam_pkcs11/pam_pkcs11.conf', find an example to copy into place and modify accordingly at '/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_20-04_LTS_V2R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(d), CAT|II, CCI|CCI-001991, CCI|CCI-004068, Rule-ID|SV-238233r1015151_rule, STIG-ID|UBTU-20-010066, Vuln-ID|V-238233

Plugin: Unix

Control ID: 2ca54213cdad599d6a0a1fa86fffe7b1e5a670ffb1e96efa6dde0dfd7392f1e5