An error occurred:

Check: RHEL-09-611160

RHEL 9 STIG: RHEL-09-611160 (in versions v1 r3 through v1 r1)

Title

RHEL 9 must use the CAC smart card driver. (Cat II impact)

Discussion

Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards. Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058

Check Content

Verify that RHEL loads the CAC driver with the following command: $ grep card_drivers /etc/opensc.conf card_drivers = cac; If "cac" is not listed as a card driver, or there is no line returned for "card_drivers", this is a finding.

Fix Text

Configure RHEL 9 to load the CAC driver. Add or modify the following line in the "/etc/opensc.conf" file: card_drivers = cac;

Additional Identifiers

Rule ID: SV-258121r926350_rule

Vulnerability ID: V-258121

Group Title: SRG-OS-000104-GPOS-00051

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000764

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
CCI-000766

The information system implements multifactor authentication for network access to non-privileged accounts.
CCI-000767

The information system implements multifactor authentication for local access to privileged accounts.
CCI-000768

The information system implements multifactor authentication for local access to non-privileged accounts.
CCI-000770

The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
CCI-001941

The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
CCI-001942

The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-2

Identification And Authentication (Organizational Users)
IA-2 (2)

Network Access To Non-Privileged Accounts
IA-2 (3)

Local Access To Privileged Accounts
IA-2 (4)

Local Access To Non-Privileged Accounts
IA-2 (5)

Group Authentication
IA-2 (8)

Network Access To Privileged Accounts - Replay Resistant
IA-2 (9)

Network Access To Non-Privileged Accounts - Replay Resistant