STIGQter: STIG Summary: SUSE Linux Enterprise Server 15 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: SUSE Linux Enterprise Server 15 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:SV-234855r622137_rule
V-234855
SRG-OS-000375-GPOS-00160
SLES-15-010470
CAT II
10
Configure the SUSE operating system to certificate status checking for PKI authentication.
Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".
Note: OCSP allows sending request for certificate status information. Additional certificate validation polices are permitted.
Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.
Verify the SUSE operating system implements certificate status checking for multifactor authentication.
Check that certificate status checking for multifactor authentication is implemented with the following command:
> grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy
cert_policy = ca,ocsp_on,signature,crl_auto;
If "cert_policy" is not set to include "ocsp", this is a finding.
V-234855
False
SLES-15-010470
Verify the SUSE operating system implements certificate status checking for multifactor authentication.
Check that certificate status checking for multifactor authentication is implemented with the following command:
> grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy
cert_policy = ca,ocsp_on,signature,crl_auto;
If "cert_policy" is not set to include "ocsp", this is a finding.
M
5274