The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.
DISA Rule
SV-225157r610901_rule
Vulnerability Number
V-225157
Group Title
SRG-OS-000376-GPOS-00161
Rule Version
AOSX-15-001060
Severity
CAT II
CCI(s)
- CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.
- CCI-001991 - The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network.
- CCI-001953 - The information system accepts Personal Identity Verification (PIV) credentials.
- CCI-001954 - The information system electronically verifies Personal Identity Verification (PIV) credentials.
- CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.
Weight
10
Fix Recommendation
This setting is enforced using the "Smart Card Policy" configuration profile.
Note: Before applying the "Smart Card Policy", the supplemental guidance provided with the STIG should be consulted to ensure continued access to the operating system.
Check Contents
To verify that certificate checks are occurring, run the following command.
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep checkCertificateTrust
If the output is null or the value returned, "checkCertificateTrust = 1", is not equal to (1) or greater, this is a finding.
Vulnerability Number
V-225157
Documentable
False
Rule Version
AOSX-15-001060
Severity Override Guidance
To verify that certificate checks are occurring, run the following command.
/usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep checkCertificateTrust
If the output is null or the value returned, "checkCertificateTrust = 1", is not equal to (1) or greater, this is a finding.
Check Content Reference
M
Target Key
4212
Comments