UBTU-20-010066 - The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).


Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely.

Add or update the 'cert_policy' option in '/etc/pam/_pkcs11/pam_pkcs11.conf' to include 'crl_auto' or 'crl_offline'.

cert_policy = ca,signature,ocsp_on, crl_auto;

If the system is missing an '/etc/pam_pkcs11/' directory and an '/etc/pam_pkcs11/pam_pkcs11.conf', find an example to copy into place and modify accordingly at '/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz'.

See Also


Item Details

References: CAT|II, CCI|CCI-001991, Rule-ID|SV-238233r653874_rule, STIG-ID|UBTU-20-010066, Vuln-ID|V-238233

Plugin: Unix

Control ID: d958163a6044555c1337d5081c12c5031bffe2803aa5ffa702a74b7a54e70557