Detections
Analytics
VCSA-70-000080 - The vCenter Server must enable revocation checking for certificate-based authentication.
Information
The system must establish the validity of the user-supplied identity certificate using Online Certificate Status Protocol (OCSP) and/or Certificate Revocation List (CRL) revocation checking.Satisfies: SRG-APP-000175, SRG-APP-000392, SRG-APP-000401, SRG-APP-000403
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From the vSphere Client, go to Administration >> Single Sign On >> Configuration >> Identity Provider >> Smart Card Authentication.Under Smart card authentication settings >> Certificate revocation, click the 'Edit' button.
Configure revocation checking per site requirements. OCSP with CRL failover is recommended.
By default, both locations are pulled from the cert. CRL location can be overridden in this screen, and local responders can be specified via the sso-config command line tool. Refer to the supplemental document for more information.
Note: If FIPS mode is enabled on vCenter, OCSP revocation validation may not function and CRL used instead.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip
Item Details
Audit Name: DISA STIG VMware vSphere 7.0 vCenter v1r3
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-2(12), 800-53|IA-5(2)(a), 800-53|IA-5(2)(d), 800-53|IA-8(1), CAT|II, CCI|CCI-000185, CCI|CCI-001954, CCI|CCI-001991, CCI|CCI-002010, Rule-ID|SV-256333r919043_rule, STIG-ID|VCSA-70-000080, Vuln-ID|V-256333
Plugin: VMware
Control ID: 7ebae69ec24939e6b160c72411bdbe556df8f373ba95ab8f3311d386dca2ec4d