OL 9 must enable certificate-based smart card authentication.

STIG ID: OL09-00-000925  |  SRG: SRG-OS-000375-GPOS-00160 |  Severity: medium |  CCI: CCI-004046,CCI-000765 |  Vulnerability Id: V-271607

Vulnerability Discussion

Without the use of multifactor authentication (MFA), the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication.

Satisfies: SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052

Check

Verify that OL 9 has smart cards enabled in System Security Services Daemon (SSSD) if smart cards are used for MFA with the following command:

$ sudo grep pam_cert_auth /etc/sssd/sssd.conf
pam_cert_auth = True

If "pam_cert_auth" is not set to "True", the line is commented out, or the line is missing, this is a finding.

Fix

Configure OL 9 to enable certificate-based smart card authentication.

Edit the file "/etc/sssd/sssd.conf" and add or edit the following line:

pam_cert_auth = True
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.