STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-217302r646769_rule
V-217302
SRG-OS-000066-GPOS-00034
SLES-12-030530
CAT II
10
Configure the SUSE operating system, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ca":
cert_policy = ca,signature,oscp_on;
Note: Additional certificate validation polices are permitted.
Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/
Verify the SUSE operating system, for PKI-based authentication, had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Check that the certification path to an accepted trust anchor for multifactor authentication is implemented with the following command:
> grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
cert_policy = ca,oscp_on,signature,crl_auto;
If "cert_policy" is not set to include "ca", this is a finding.
V-217302
False
SLES-12-030530
Verify the SUSE operating system, for PKI-based authentication, had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.
Check that the certification path to an accepted trust anchor for multifactor authentication is implemented with the following command:
> grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
cert_policy = ca,oscp_on,signature,crl_auto;
If "cert_policy" is not set to include "ca", this is a finding.
M
4033