SV-217300r603262_rule
V-217300
SRG-OS-000375-GPOS-00160
SLES-12-030510
CAT II
10
Configure the SUSE operating system to certificate status checking for PKI authentication.
Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".
Note: OCSP allows sending request for certificate status information. Additional certificate validation polices are permitted.
Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/
Verify the SUSE operating system implements certificate status checking for multifactor authentication.
Check that certificate status checking for multifactor authentication is implemented with the following command:
# grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy
cert_policy = ca,ocsp_on,signature,crl_auto;
If "cert_policy" is not set to include "ocsp_on", this is a finding.
V-217300
False
SLES-12-030510
Verify the SUSE operating system implements certificate status checking for multifactor authentication.
Check that certificate status checking for multifactor authentication is implemented with the following command:
# grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy
cert_policy = ca,ocsp_on,signature,crl_auto;
If "cert_policy" is not set to include "ocsp_on", this is a finding.
M
4033