STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Anduril NixOS Security Technical Implementation Guide

V-268179

CAT II (Medium)

For PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

Rule ID

SV-268179r1131166_rule

STIG

Anduril NixOS Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-004068

Discussion

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Check Content

Verify NixOS, for PKI-based authentication, uses local revocation data when unable to access the network to obtain it remotely with the following command:

$ grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf

cert_policy = ca,signature,ocsp_on, crl_auto;

If the cert_policy does not contain the options in the example output, this is a finding.

Fix Text

Configure NixOS, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. 

Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:

 security.pam.p11.enable = true;
 environment.etc."pam_pkcs11/pam_pkcs11.conf".text = ''
    cert_policy = ca,signature,ocsp_on, crl_auto;
   '';

Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch