For PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268179 | ANIX-00-002060 | SV-268179r1039545_rule | Medium |
| Description |
| Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). |
| STIG | Date |
| Anduril NixOS Security Technical Implementation Guide | 2024-10-25 |
Details
| Check Text (C-72103r1039423_chk) |
| Verify NixOS, for PKI-based authentication, uses local revocation data when unable to access the network to obtain it remotely with the following command: $ grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca,signature,ocsp_on, crl_auto; If the cert_policy does not contain the options in the example output, this is a finding. |
| Fix Text (F-72006r1039544_fix) |
| Configure the NixOS operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: security.pam.p11.enable = true; environment.etc."pam_pkcs11/pam_pkcs11.conf".text = '' cert_policy = ca,signature,ocsp_on, crl_auto; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch |