Configure Smart Card Certificate Status Checking

An XCCDF Rule

Description

Configure the operating system to do certificate status checking for PKI authentication. Modify all of the cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf to include ocsp_on like so:

cert_policy = ca, ocsp_on, signature;

Rationale

Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.

ID: xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking
Severity: Medium
References: CCI-001948 CCI-001953 CCI-001954

SRG-OS-000375-GPOS-00160 SRG-OS-000376-GPOS-00161 SRG-OS-000377-GPOS-00162 SRG-OS-000384-GPOS-00167

SLES-15-010470

CCE-83293-1

SV-234855r854201_rule
Updated: about 1 year ago

- name: Package facts
  package_facts: null
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture != "s390x"
  tags:  - CCE-83293-1
  - DISA-STIG-SLES-15-010470
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - smartcard_configure_cert_checking

- name: Replace 'none' from cert_policy
  replace:
    path: /etc/pam_pkcs11/pam_pkcs11.conf
    regexp: (^\s*cert_policy\s*=\s*)none\s*;(\s*$)
    replace: \g<1>ocsp_on,ca,signature;\g<2>
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture != "s390x"
  - '''pam_pkcs11'' in ansible_facts.packages'
  tags:
  - CCE-83293-1
  - DISA-STIG-SLES-15-010470
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - smartcard_configure_cert_checking

- name: Add 'ocsp_on' parameter for cert_policy in /etc/pam_pkcs11/pam_pkcs11.conf
  replace:
    path: /etc/pam_pkcs11/pam_pkcs11.conf
    regexp: (^\s*cert_policy\s*=\s*)(?!.*ocsp_on)(.*)
    replace: \g<1>ocsp_on,\g<2>
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture != "s390x"
  - '''pam_pkcs11'' in ansible_facts.packages'
  tags:
  - CCE-83293-1
  - DISA-STIG-SLES-15-010470
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - smartcard_configure_cert_checking

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ! grep -q s390x /proc/sys/kernel/osrelease; }; then

zypper install -y "pam_pkcs11"

if grep "^\s*cert_policy" /etc/pam_pkcs11/pam_pkcs11.conf | grep -qv "ocsp_on"; then	sed -i "/^\s*#/! s/cert_policy.*/cert_policy = ca, ocsp_on, signature;/g" /etc/pam_pkcs11/pam_pkcs11.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure Smart Card Certificate Status Checking

Description

Rationale

Remediation - Ansible

Remediation - Shell Script