← Back to Red Hat Enterprise Linux 9 Security Technical Implementation Guide

V-258122

CAT II (Medium)

RHEL 9 must enable certificate based smart card authentication.

Rule ID

SV-258122r1045246_rule

STIG

Red Hat Enterprise Linux 9 Security Technical Implementation Guide

Version

V2R8

CCIs

CCI-000765 CCI-004046 CCI-004047 CCI-001948

Discussion

Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication. Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052

Check Content

Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is Not Applicable.

To verify that RHEL 9 has smart cards  enabled in System Security Services Daemon (SSSD), run the following command:

$ sudo grep -ir pam_cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/

pam_cert_auth = True 

If "pam_cert_auth" is not set to "True", the line is commented out, or the line is missing, this is a finding.

Fix Text

Edit the file "/etc/sssd/sssd.conf" or a configuration file in "/etc/sssd/conf.d" and add or edit the following line:

pam_cert_auth = True