STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

The Ubuntu operating system must electronically verify Personal Identity Verification (PIV) credentials.

DISA Rule

SV-238232r653871_rule

Vulnerability Number

V-238232

Group Title

SRG-OS-000377-GPOS-00162

Rule Version

UBTU-20-010065

Severity

CAT II

CCI(s)

• CCI-001954 - The information system electronically verifies Personal Identity Verification (PIV) credentials.

Weight

10

Fix Recommendation

Configure the Ubuntu operating system to do certificate status checking for multifactor authentication.

Modify all of the "cert_policy" lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".

Check Contents

Verify the Ubuntu operating system electronically verifies PIV credentials.

Verify that certificate status checking for multifactor authentication is implemented with the following command:

$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ocsp_on

cert_policy = ca,signature,ocsp_on;

If "cert_policy" is not set to "ocsp_on", or the line is commented out, this is a finding.

Vulnerability Number

V-238232

Documentable

False

Rule Version

UBTU-20-010065

Severity Override Guidance

Verify the Ubuntu operating system electronically verifies PIV credentials.

Verify that certificate status checking for multifactor authentication is implemented with the following command:

$ sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ocsp_on

cert_policy = ca,signature,ocsp_on;

If "cert_policy" is not set to "ocsp_on", or the line is commented out, this is a finding.

Check Content Reference

M

Target Key

5318

Comments