Detections
Analytics
UBTU-24-600060 - Ubuntu 24.04 LTS must use DOD PKI-established certificate authorities (CAs) for verification of the establishment of protected sessions.
Information
Untrusted CAs can issue certificates, but they may be issued by organizations or individuals that seek to compromise DOD systems or by organizations with insufficient security controls. If the CA used for verifying the certificate is not a DOD-approved CA, trust of this CA has not been established.The DOD will only accept PKI-certificates obtained from a DOD-approved internal or external certificate authority. Reliance on CAs for the establishment of secure sessions includes, for example, the use of SSL/TLS certificates.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Configure Ubuntu 24.04 LTS to use of DOD PKI-established CAs for verification of the establishment of protected sessions.Edit the "/etc/ca-certificates.conf" file, adding the character "!" to the beginning of all uncommented lines that do not start with the "!" character with the following command:
$ sudo sed -i -E 's/^([^!#]+)/!\1/' /etc/ca-certificates.conf
Add at least one CA to the "/usr/local/share/ca-certificates" directory in the PEM format.
Update the "/etc/ssl/certs" directory with the following command:
$ sudo update-ca-certificates
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_24-04_LTS_V1R5_STIG.zip
Item Details
Audit Name: DISA Canonical Ubuntu 24.04 LTS STIG v1r5
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-23(5), CAT|II, CCI|CCI-002470, Rule-ID|SV-270745r1066724_rule, STIG-ID|UBTU-24-600060, Vuln-ID|V-270745
Plugin: Unix
Control ID: 84fc728d4db2c602ce85455def67a499c00bcefcd46a15fc2c447a5aa582bd94