← Back to Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide

V-238233

CAT II (Medium)

The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.

Rule ID

SV-238233r1015151_rule

STIG

Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide

Version

V2R4

CCIs

CCI-001991 CCI-004068

Discussion

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Check Content

Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation data when unable to access it from the network.  
 
Verify that "crl_offline" or "crl_auto" is part of the "cert_policy" definition in "/etc/pam_pkcs11/pam_pkcs11.conf" using the following command: 
 
# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep  -E -- 'crl_auto|crl_offline' 
 
cert_policy = ca,signature,ocsp_on,crl_auto; 
 
If "cert_policy" is not set to include "crl_auto" or "crl_offline", this is a finding.

Fix Text

Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. 
 
Add or update the "cert_policy" option in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "crl_auto" or "crl_offline". 
 
cert_policy = ca,signature,ocsp_on, crl_auto; 
 
If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".