File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (57 lines) | stat: -rw-r--r-- 2,549 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
documentation_complete: true


title: 'Certificate status checking in SSSD'

description: |-
    Multifactor solutions that require devices separate from information systems gaining access include,
    for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.
    Configuring <tt>certificate_verification</tt> to <tt>ocsp_dgst={{{ xccdf_value("var_sssd_certificate_verification_digest_function") }}}</tt> ensures that certificates for
    multifactor solutions are checked via Online Certificate Status Protocol (OCSP).

rationale: |-
    Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
    ensures the security of the system.

severity: medium

identifiers:
   cce@rhel8: CCE-86120-3
   cce@rhel9: CCE-87088-1
   cce@rhel10: CCE-86192-2

references:
    nist: IA-2(11)
    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000377-GPOS-00162
    stigid@ol8: OL08-00-010400

ocil_clause: 'certificate_verification in sssd is not configured'

ocil: |-
    Check to see if Online Certificate Status Protocol (OCSP)
    is enabled and using the proper digest value on the system with the following command:
    <pre>$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#"</pre>
    If configured properly, output should look like
    <pre>
        certificate_verification = ocsp_dgst={{{ xccdf_value("var_sssd_certificate_verification_digest_function") }}}
    </pre>

fixtext: |-
    Configure the operating system to implement certificate status checking for multifactor authentication.

    Review the "/etc/sssd/conf.d/certificate_verification.conf" file to determine if the system is configured to prevent OCSP or certificate verification.

    Add the following line to the "/etc/sssd/conf.d/certificate_verification.conf" file:

    certificate_verification = ocsp_dgst={{{ xccdf_value("var_sssd_certificate_verification_digest_function") }}}

    Set the correct ownership and permissions on the "/etc/sssd/conf.d/certificate_verification.conf" file by running these commands:

    $ sudo chown root:root "/etc/sssd/conf.d/certificate_verification.conf"
    $ sudo chmod 600 "/etc/sssd/conf.d/certificate_verification.conf"

    The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:

    $ sudo systemctl restart sssd.service

srg_requirement: '{{{ full_name }}} must implement certificate status checking for multifactor authentication.'