mediumaccess-controlunverified
Ensure SSSD performs OCSP certificate status checking for MFA
sssd-ocsp-cert-check · RHEL ≥ 8 · 1 impl
Description
When smart-card / certificate authentication is used via SSSD, certificate status must be validated with OCSP (certificate_verification = ocsp_dgst=sha1 in the [sssd] section).
Rationale
Without revocation checking, a revoked or compromised certificate would still be accepted for authentication.
Check → Remediate
Checkcommand
conf=$(ls /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 2>/dev/null) if [ -z "$conf" ]; then echo "NOT APPLICABLE: SSSD not configured (no alternate MFA in use here)" exit 0 fi # Tolerate arbitrary whitespace around both '=' (e.g. 'ocsp_dgst = sha1'). if grep -hqE '^[[:space:]]*certificate_verification[[:space:]]*=.*ocsp_dgst[[:space:]]*=' $conf 2>/dev/null; then echo "OK: SSSD OCSP certificate_verification configured" exit 0 fi echo "FAIL: certificate_verification with ocsp_dgst not set in [sssd]" exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Add to the [sssd] section of /etc/sssd/sssd.conf then restart sssd: certificate_verification = ocsp_dgst=sha1
Framework references
STIG
V-281325 / RHEL-10-701230V-258123 / RHEL-09-611170V-230274 / RHEL-08-010400
NIST 800-53
IA-2(6)
#sssd#pki#ocsp#mfa#stig