For PKI-based authentication, NixOS must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268179 | ANIX-00-002060 | SV-268179r1131166_rule | CCI-004068 | medium |
| Description | ||||
| Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked certificates). | ||||
| STIG | Date | |||
| Anduril NixOS Security Technical Implementation Guide | 2025-08-19 | |||
Details
Check Text (C-268179r1131166_chk)
Verify NixOS, for PKI-based authentication, uses local revocation data when unable to access the network to obtain it remotely with the following command:
$ grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf
cert_policy = ca,signature,ocsp_on, crl_auto;
If the cert_policy does not contain the options in the example output, this is a finding.
Fix Text (F-72006r1131165_fix)
Configure NixOS, for PKI-based authentication, to use local revocation data when unable to access the network to obtain it remotely.
Add the following Nix code to the NixOS Configuration, usually located in /etc/nixos/configuration.nix or /etc/nixos/flake.nix:
security.pam.p11.enable = true;
environment.etc."pam_pkcs11/pam_pkcs11.conf".text = ''
cert_policy = ca,signature,ocsp_on, crl_auto;
'';
Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch