The Ubuntu operating system for PKI-based authentication, must implement a local cache of revocation data in case of the inability to access revocation information via the network.

STIG ID: UBTU-20-010066  |  SRG: SRG-OS-000384-GPOS-00167 |  Severity: medium |  CCI: CCI-001991 |  Vulnerability Id: V-238233 | 

Vulnerability Discussion

Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

Check

Verify the Ubuntu operating system, for PKI-based authentication, uses local revocation data when unable to access it from the network.

Verify that "crl_offline" or "crl_auto" is part of the "cert_policy" definition in "/etc/pam_pkcs11/pam_pkcs11.conf" using the following command:

# sudo grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | grep -E -- 'crl_auto|crl_offline'

cert_policy = ca,signature,ocsp_on,crl_auto;

If "cert_policy" is not set to include "crl_auto" or "crl_offline", this is a finding.

Fix

Configure the Ubuntu operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely.

Add or update the "cert_policy" option in "/etc/pam/_pkcs11/pam_pkcs11.conf" to include "crl_auto" or "crl_offline".

cert_policy = ca,signature,ocsp_on, crl_auto;

If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".