RHEL 9 must use the common access card (CAC) smart card driver.

STIG ID: RHEL-09-611160  |  SRG: SRG-OS-000104-GPOS-00051 |  Severity: medium |  CCI: CCI-000764,CCI-000766,CCI-000765,CCI-004045,CCI-001941,CCI-000767,CCI-000768,CCI-000770,CCI-001942 |  Vulnerability Id: V-258121

Vulnerability Discussion

Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards.

Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058

Check

Verify that RHEL loads the CAC driver with the following command:

$ sudo opensc-tool --get-conf-entry app:default:card_driver cac

cac

If "cac" is not listed as a card driver, or no line is returned for "card_drivers", this is a finding.

Fix

Configure RHEL 9 to load the CAC driver.

$ sudo opensc-tool --set-conf-entry app:default:card_driver:cac

Restart the pcscd service to apply the changes:

$ sudo systemctl restart pcscd
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.