RHEL 10 must use the common access card (CAC) smart card driver.

STIG ID: RHEL-10-200621  |  SRG: SRG-OS-000104-GPOS-00051 |  Severity: medium (CAT II)  |  CCI: CCI-000764,CCI-000766,CCI-000765,CCI-004045 |  Vulnerability Id: V-280976

Vulnerability Discussion

Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver helps to prevent the use of unauthorized smart cards.

Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055

Check

Verify RHEL 10 loads the CAC driver with the following command:

$ sudo opensc-tool --get-conf-entry app:default:card_drivers
cac

If "cac" is not listed as a card driver, or no line is returned for "card_drivers", this is a finding.

Fix

Configure RHEL 10 to load the CAC driver:

$ sudo opensc-tool --set-conf-entry app:default:card_drivers:cac

Restart the pcscd service with the following command for the changes to take effect:

$ sudo systemctl restart pcscd
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.