Vulnerability Discussion
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).
Check
Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation data when unable to access it from the network.
Verify that "crl_offline" or "crl_auto" is part of the "cert_policy" definition in "/etc/pam_pkcs11/pam_pkcs11.conf" using the following command:
# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E -- 'crl_auto|crl_offline'
cert_policy = ca,signature,ocsp_on,crl_auto;
If "cert_policy" is not set to include "crl_auto" or "crl_offline", this is a finding.
Fix
Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely.
Add or update the "cert_policy" option in "/etc/pam/_pkcs11/pam_pkcs11.conf" to include "crl_auto" or "crl_offline".
cert_policy = ca,signature,ocsp_on, crl_auto;
If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".