For PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-268179	SRG-OS-000384-GPOS-00167	ANIX-00-002060	SV-268179r1039545_rule	2024-10-25	1

Description
Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates).

ℹ️ Check
Verify NixOS, for PKI-based authentication, uses local revocation data when unable to access the network to obtain it remotely with the following command: $ grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf cert_policy = ca,signature,ocsp_on, crl_auto; If the cert_policy does not contain the options in the example output, this is a finding.

✔️ Fix
Configure the NixOS operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: security.pam.p11.enable = true; environment.etc."pam_pkcs11/pam_pkcs11.conf".text = '' cert_policy = ca,signature,ocsp_on, crl_auto; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

✔️ Fix

Configure the NixOS operating system, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely. Add the following Nix code to the NixOS Configuration usually located in /etc/nixos/configuration.nix: security.pam.p11.enable = true; environment.etc."pam_pkcs11/pam_pkcs11.conf".text = '' cert_policy = ca,signature,ocsp_on, crl_auto; ''; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch