STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Ubuntu operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

DISA Rule

SV-219315r610963_rule

Vulnerability Number

V-219315

Group Title

SRG-OS-000066-GPOS-00034

Rule Version

UBTU-18-010425

Severity

CAT II

CCI(s)

• CCI-000185 - The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.
• CCI-001991 - The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.

Weight

10

Fix Recommendation

Configure the Ubuntu operating system, for PKI-based authentication, to validate certificates by constructing a certification path to an accepted trust anchor.

Determine which pkcs11 module is being used via the use_pkcs11_module in /etc/pam_pkcs11/pam_pkcs11.conf and ensure "ca" is enabled in "cert_policy".

Add or update the "cert_policy" to ensure "ca" is enabled:

cert_policy = ca,signature,ocsp_on;

If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".

Check Contents

Verify the Ubuntu operating system, for PKI-based authentication, had valid certificates by constructing a certification path to an accepted trust anchor.

Check which pkcs11 module is being used via the use_pkcs11_module in /etc/pam_pkcs11/pam_pkcs11.conf and then ensure "ca" is enabled in "cert_policy" with the following command:

# sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca

cert_policy = ca,signature,ocsp_on;

If "cert_policy" is not set to "ca", or the line is commented out, this is a finding.

Vulnerability Number

V-219315

Documentable

False

Rule Version

UBTU-18-010425

Severity Override Guidance

Verify the Ubuntu operating system, for PKI-based authentication, had valid certificates by constructing a certification path to an accepted trust anchor.

Check which pkcs11 module is being used via the use_pkcs11_module in /etc/pam_pkcs11/pam_pkcs11.conf and then ensure "ca" is enabled in "cert_policy" with the following command:

# sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ca

cert_policy = ca,signature,ocsp_on;

If "cert_policy" is not set to "ca", or the line is commented out, this is a finding.

Check Content Reference

M

Target Key

4055

Comments