Check: RHEL-09-611165
RHEL 9 STIG:
RHEL-09-611165
(in versions v1 r3 through v1 r1)
Title
RHEL 9 must enable certificate based smart card authentication. (Cat II impact)
Discussion
Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052
Check Content
Verify that RHEL 9 has smart cards are enabled in System Security Services Daemon (SSSD), run the following command: $ sudo grep pam_cert_auth /etc/sssd/sssd.conf pam_cert_auth = True If "pam_cert_auth" is not set to "True", the line is commented out, or the line is missing, this is a finding.
Fix Text
Edit the file "/etc/sssd/sssd.conf" and add or edit the following line: pam_cert_auth = True
Additional Identifiers
Rule ID: SV-258122r926353_rule
Vulnerability ID: V-258122
Group Title: SRG-OS-000375-GPOS-00160
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000765 |
The information system implements multifactor authentication for network access to privileged accounts. |
| CCI-001948 |
The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access. |