Check: RHEL-09-215075
RHEL 9 STIG:
RHEL-09-215075
(in versions v2 r1 through v1 r1)
Title
RHEL 9 must have the openssl-pkcs11 package installed. (Cat II impact)
Discussion
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD common access card (CAC) with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, SRG-OS-000377-GPOS-00162
Check Content
Verify that RHEL 9 has the openssl-pkcs11 package installed with the following command: $ sudo dnf list --installed openssl-pkcs11 Example output: openssl-pkcs.i686 0.4.11-7.el9 openssl-pkcs.x86_64 0.4.11-7.el9 If the "openssl-pkcs11" package is not installed, this is a finding.
Fix Text
The openssl-pkcs11 package can be installed with the following command: $ sudo dnf install openssl-pkcs11
Additional Identifiers
Rule ID: SV-257838r997057_rule
Vulnerability ID: V-257838
Group Title: SRG-OS-000105-GPOS-00052
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000765 |
Implement multifactor authentication for access to privileged accounts. |
| CCI-001948 |
The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| CCI-001953 |
Accept Personal Identity Verification-compliant credentials. |
| CCI-001954 |
Electronically verify Personal Identity Verification-compliant credentials. |
| CCI-004046 |
Implement multi-factor authentication for local; network; and/or remote access to privileged accounts; and/or non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |