STIGQter STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The SUSE operating system, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

DISA Rule

SV-217302r646769_rule

Vulnerability Number

V-217302

Group Title

SRG-OS-000066-GPOS-00034

Rule Version

SLES-12-030530

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the SUSE operating system, for PKI-based authentication, to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ca":

cert_policy = ca,signature,oscp_on;

Note: Additional certificate validation polices are permitted.

Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/

Check Contents

Verify the SUSE operating system, for PKI-based authentication, had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Check that the certification path to an accepted trust anchor for multifactor authentication is implemented with the following command:

> grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf

cert_policy = ca,oscp_on,signature,crl_auto;

If "cert_policy" is not set to include "ca", this is a finding.

Vulnerability Number

V-217302

Documentable

False

Rule Version

SLES-12-030530

Severity Override Guidance

Verify the SUSE operating system, for PKI-based authentication, had valid certificates by constructing a certification path (which includes status information) to an accepted trust anchor.

Check that the certification path to an accepted trust anchor for multifactor authentication is implemented with the following command:

> grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf

cert_policy = ca,oscp_on,signature,crl_auto;

If "cert_policy" is not set to include "ca", this is a finding.

Check Content Reference

M

Target Key

4033

Comments