V-281325

Discussion

Using an authentication device, such as a DOD common access card (CAC) or token that is separate from the information system, ensures that even if the information system is compromised, credentials stored on the authentication device will not be affected. Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification (PIV) card and the DOD CAC. RHEL 10 includes multiple options for configuring certificate status checking but for this requirement focuses on the System Security Services Daemon (SSSD). By default, SSSD performs Online Certificate Status Protocol (OCSP) checking and certificate verification using a sha256 digest function. Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162, SRG-OS-000705-GPOS-00150

Check Content

Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.

Verify RHEL 10 implements OCSP and is using the proper digest value on the system with the following command:

$ sudo grep -irs certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/ | grep -v "^#"
/etc/sssd/conf.d/certificate_verification.conf:certificate_verification = ocsp_dgst=sha512

If the certificate_verification line is missing from the [sssd] section, or is missing "ocsp_dgst=sha512", ask the SA to indicate what type of multifactor authentication is being used and how the system implements certificate status checking. 

If there is no evidence of certificate status checking being used, this is a finding.