← Rules Catalog
mediumaccess-controlunverified

Ensure SSSD performs OCSP certificate status checking for MFA

sssd-ocsp-cert-check · RHEL ≥ 8 · 1 impl

Description

When smart-card / certificate authentication is used via SSSD, certificate status must be validated with OCSP (certificate_verification = ocsp_dgst=sha1 in the [sssd] section).

Rationale

Without revocation checking, a revoked or compromised certificate would still be accepted for authentication.

Check → Remediate

Checkcommand
conf=$(ls /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 2>/dev/null)
if [ -z "$conf" ]; then
  echo "NOT APPLICABLE: SSSD not configured (no alternate MFA in use here)"
  exit 0
fi
# Tolerate arbitrary whitespace around both '=' (e.g. 'ocsp_dgst = sha1').
if grep -hqE '^[[:space:]]*certificate_verification[[:space:]]*=.*ocsp_dgst[[:space:]]*=' $conf 2>/dev/null; then
  echo "OK: SSSD OCSP certificate_verification configured"
  exit 0
fi
echo "FAIL: certificate_verification with ocsp_dgst not set in [sssd]"
exit 1
expected_exit:
0
Remediatemanual
note:
Add to the [sssd] section of /etc/sssd/sssd.conf then restart sssd: certificate_verification = ocsp_dgst=sha1

Framework references

STIG

V-281325 / RHEL-10-701230V-258123 / RHEL-09-611170V-230274 / RHEL-08-010400

NIST 800-53

IA-2(6)
#sssd#pki#ocsp#mfa#stig