STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

The Ubuntu operating system must only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.

DISA Rule

SV-238364r654267_rule

Vulnerability Number

V-238364

Group Title

SRG-OS-000403-GPOS-00182

Rule Version

UBTU-20-010443

Severity

CAT II

CCI(s)

• CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

10

Fix Recommendation

Configure the Ubuntu operating system to only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions.

Edit the "/etc/ca-certificates.conf" file, adding the character "!" to the beginning of all uncommented lines that do not start with the "!" character with the following command:

$ sudo sed -iE 's/^([^!#]+)/!\1/' /etc/ca-certificates.conf

Add at least one DoD certificate authority to the "/usr/local/share/ca-certificates" directory in the PEM format.

Update the "/etc/ssl/certs" directory with the following command:

$ sudo update-ca-certificates

Check Contents

Verify the directory containing the root certificates for the Ubuntu operating system (/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate authorities.

Determine if "/etc/ssl/certs" only contains certificate files whose sha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities with the following command:

$ for f in $(ls /etc/ssl/certs); do openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'; done

If any entry is found, this is a finding.

Vulnerability Number

V-238364

Documentable

False

Rule Version

UBTU-20-010443

Severity Override Guidance

Verify the directory containing the root certificates for the Ubuntu operating system (/etc/ssl/certs) only contains certificate files for DoD PKI-established certificate authorities.

Determine if "/etc/ssl/certs" only contains certificate files whose sha256 fingerprint match the fingerprint of DoD PKI-established certificate authorities with the following command:

$ for f in $(ls /etc/ssl/certs); do openssl x509 -sha256 -in $f -noout -fingerprint | cut -d= -f2 | tr -d ':' | egrep -vw '(9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)'; done

If any entry is found, this is a finding.

Check Content Reference

M

Target Key

5318

Comments