STIGQter STIGQter: STIG Summary: SUSE Linux Enterprise Server 15 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

The SUSE operating system must implement certificate status checking for multifactor authentication.

DISA Rule

SV-234855r622137_rule

Vulnerability Number

V-234855

Group Title

SRG-OS-000375-GPOS-00160

Rule Version

SLES-15-010470

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the SUSE operating system to certificate status checking for PKI authentication.

Modify all of the cert_policy lines in "/etc/pam_pkcs11/pam_pkcs11.conf" to include "ocsp_on".

Note: OCSP allows sending request for certificate status information. Additional certificate validation polices are permitted.

Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

Check Contents

Verify the SUSE operating system implements certificate status checking for multifactor authentication.

Check that certificate status checking for multifactor authentication is implemented with the following command:

> grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy

cert_policy = ca,ocsp_on,signature,crl_auto;

If "cert_policy" is not set to include "ocsp", this is a finding.

Vulnerability Number

V-234855

Documentable

False

Rule Version

SLES-15-010470

Severity Override Guidance

Verify the SUSE operating system implements certificate status checking for multifactor authentication.

Check that certificate status checking for multifactor authentication is implemented with the following command:

> grep use_pkcs11_module /etc/pam_pkcs11/pam_pkcs11.conf | awk '/pkcs11_module coolkey {/,/}/' /etc/pam_pkcs11/pam_pkcs11.conf | grep cert_policy

cert_policy = ca,ocsp_on,signature,crl_auto;

If "cert_policy" is not set to include "ocsp", this is a finding.

Check Content Reference

M

Target Key

5274

Comments