STIGQter STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Ubuntu operating system must implement certificate status checking for multifactor authentication.

DISA Rule

SV-219320r610963_rule

Vulnerability Number

V-219320

Group Title

SRG-OS-000377-GPOS-00162

Rule Version

UBTU-18-010434

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the Ubuntu operating system to certificate status checking for multifactor authentication.

Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include ocsp_on.

Check Contents

Verify the Ubuntu operating system implements certificate status checking for multifactor authentication.

Check that certificate status checking for multifactor authentication is implemented with the following command:

# sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ocsp_on

cert_policy = ca,signature,ocsp_on;

If "cert_policy" is not set to "ocsp_on", or the line is commented out, this is a finding.

Vulnerability Number

V-219320

Documentable

False

Rule Version

UBTU-18-010434

Severity Override Guidance

Verify the Ubuntu operating system implements certificate status checking for multifactor authentication.

Check that certificate status checking for multifactor authentication is implemented with the following command:

# sudo grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module opensc {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy | grep ocsp_on

cert_policy = ca,signature,ocsp_on;

If "cert_policy" is not set to "ocsp_on", or the line is commented out, this is a finding.

Check Content Reference

M

Target Key

4055

Comments