Check: RHEL-09-611160
RHEL 9 STIG:
RHEL-09-611160
(in version v2 r3)
Title
RHEL 9 must use the common access card (CAC) smart card driver. (Cat II impact)
Discussion
Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards. Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058
Check Content
Verify that RHEL loads the CAC driver with the following command: $ sudo opensc-tool --get-conf-entry app:default:card_driver cac cac If "cac" is not listed as a card driver, or no line is returned for "card_drivers", this is a finding.
Fix Text
Configure RHEL 9 to load the CAC driver. $ sudo opensc-tool --set-conf-entry app:default:card_driver:cac Restart the pcscd service to apply the changes: $ sudo systemctl restart pcscd
Additional Identifiers
Rule ID: SV-258121r1045243_rule
Vulnerability ID: V-258121
Group Title: SRG-OS-000104-GPOS-00051
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000764 |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
| CCI-000765 |
Implement multifactor authentication for access to privileged accounts. |
| CCI-000766 |
Implement multifactor authentication for access to non-privileged accounts. |
| CCI-000767 |
The information system implements multifactor authentication for local access to privileged accounts. |
| CCI-000768 |
The information system implements multifactor authentication for local access to non-privileged accounts. |
| CCI-000770 |
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. |
| CCI-001941 |
Implement replay-resistant authentication mechanisms for access to privileged accounts and/or non-privileged accounts. |
| CCI-001942 |
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. |
| CCI-004045 |
Require users to be individually authenticated before granting access to the shared accounts or resources. |
Controls
| Number | Title |
|---|---|
| IA-2 |
Identification and Authentication (organizational Users) |
| IA-2(1) |
Network Access to Privileged Accounts |
| IA-2(2) |
Network Access to Non-privileged Accounts |
| IA-2(3) |
Local Access to Privileged Accounts |
| IA-2(4) |
Local Access to Non-privileged Accounts |
| IA-2(5) |
Group Authentication |
| IA-2(8) |
Network Access to Privileged Accounts - Replay Resistant |
| IA-2(9) |
Network Access to Non-privileged Accounts - Replay Resistant |