Ubuntu 22.04 LTS must map the authenticated identity to the user or group account for PKI-based authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-260579 | UBTU-22-612040 | SV-260579r958452_rule | CCI-000187 | high |
| Description | ||||
| Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis. | ||||
| STIG | Date | |||
| Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide | 2025-05-16 | |||
Details
Check Text (C-260579r958452_chk)
Verify that "use_mappers" is set to "pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" file by using the following command:
$ grep -i use_mappers /etc/pam_pkcs11/pam_pkcs11.conf
use_mappers = pwent
If "use_mappers" does not contain "pwent", is commented out, or is missing, this is a finding.
Fix Text (F-64216r953549_fix)
Set "use_mappers=pwent" in "/etc/pam_pkcs11/pam_pkcs11.conf" or, if there is already a comma-separated list of mappers, add it to the list, separated by comma, and before the null mapper.
If the system is missing an "/etc/pam_pkcs11/" directory and an "/etc/pam_pkcs11/pam_pkcs11.conf", find an example to copy into place and modify accordingly at "/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz".