Title

Amazon Linux 2023 must enable certificate-based smart card authentication. (Cat II impact)

Discussion

Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000705-GPOS-00150

Check Content

Note: If the system administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable. Verify Amazon Linux 2023 has smart cards enabled in System Security Services Daemon (SSSD), run the following command: $ sudo grep -ir pam_cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/ /etc/sssd/sssd.conf:pam_cert_auth = True If "pam_cert_auth" is not set to "True", the line is commented out, or the line is missing, this is a finding.

Fix Text

Configure Amazon Linux 2023 to have smart cards enabled in SSSD. Edit the file "/etc/sssd/sssd.conf" or a configuration file in "/etc/sssd/conf.d" and add or edit the following line: pam_cert_auth = True

Additional Identifiers

Rule ID: SV-274059r1120165_rule

Vulnerability ID: V-274059

Group Title: SRG-OS-000375-GPOS-00160

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.