← Back to Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide

V-260578

CAT II (Medium)

Ubuntu 22.04 LTS for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.

Rule ID

SV-260578r1015021_rule

STIG

Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide

Version

V2R8

CCIs

CCI-004068 CCI-001991

Discussion

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Check Content

Verify Ubuntu 22.04 LTS, for PKI-based authentication, uses local revocation data when unable to access it from the network by using the following command: 
 
Note: If smart card authentication is not being used on the system, this is not applicable.  
  
     $ grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep  -E -- 'crl_auto|crl_offline' 
     cert_policy = ca,signature,ocsp_on,crl_auto; 
  
If "cert_policy" is not set to include "crl_auto" or "crl_offline", is commented out, or is missing, this is a finding.

Fix Text

Configure Ubuntu 22.04 LTS, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely.  
  
Add or update the "cert_policy" option in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "crl_auto" or "crl_offline".  
  
cert_policy = ca,signature,ocsp_on, crl_auto;  
  
If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".