UBTU-20-010066 - The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Solution

Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely.

Add or update the 'cert_policy' option in '/etc/pam_pkcs11/pam_pkcs11.conf' to include 'crl_auto' or 'crl_offline'.

cert_policy = ca,signature,ocsp_on, crl_auto;

If the system is missing an '/etc/pam_pkcs11/' directory and an '/etc/pam_pkcs11/pam_pkcs11.conf', find an example to copy into place and modify accordingly at '/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_20-04_LTS_V1R9_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001991, Rule-ID|SV-238233r880870_rule, STIG-ID|UBTU-20-010066, Vuln-ID|V-238233

Plugin: Unix

Control ID: fb6efb712de0109614c39bc3917bc23655e40e3da6cb6cd9c904c49dd778404d