STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Ubuntu operating system must implement certificate status checking for multifactor authentication.

DISA Rule

SV-219320r610963_rule

Vulnerability Number

V-219320

Group Title

SRG-OS-000377-GPOS-00162

Rule Version

UBTU-18-010434

Severity

CAT II

CCI(s)

• CCI-001954 - The information system electronically verifies Personal Identity Verification (PIV) credentials.

Weight

10

Fix Recommendation

Configure the Ubuntu operating system to certificate status checking for multifactor authentication.

Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include ocsp_on.

Check Contents

Verify the Ubuntu operating system implements certificate status checking for multifactor authentication.

Check that certificate status checking for multifactor authentication is implemented with the following command:

# sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ocsp_on

cert_policy = ca,signature,ocsp_on;

If "cert_policy" is not set to "ocsp_on", or the line is commented out, this is a finding.

Vulnerability Number

V-219320

Documentable

False

Rule Version

UBTU-18-010434

Severity Override Guidance

Verify the Ubuntu operating system implements certificate status checking for multifactor authentication.

Check that certificate status checking for multifactor authentication is implemented with the following command:

# sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ocsp_on

cert_policy = ca,signature,ocsp_on;

If "cert_policy" is not set to "ocsp_on", or the line is commented out, this is a finding.

Check Content Reference

M

Target Key

4055

Comments