STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts.

DISA Rule

SV-230372r627750_rule

Vulnerability Number

V-230372

Group Title

SRG-OS-000105-GPOS-00052

Rule Version

RHEL-08-020250

Severity

CAT II

CCI(s)

• CCI-000765 - The information system implements multifactor authentication for network access to privileged accounts.

Weight

10

Fix Recommendation

Configure RHEL 8 to use multifactor authentication for local access to accounts.

Add or update the "pam_cert_auth" setting in the "/etc/sssd/sssd.conf" file to match the following line:

[pam]
pam_cert_auth = True

Add or update "pam_sss.so" with "try_cert_auth" or "require_cert_auth" in the "/etc/pam.d/system-auth" and "/etc/pam.d/smartcard-auth" files based on the following examples:

/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth

/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth

The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:

$ sudo systemctl restart sssd.service

Check Contents

Verify RHEL 8 uses multifactor authentication for local access to accounts.

Note: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.

Check that the "pam_cert_auth" setting is set to "true" in the "/etc/sssd/sssd.conf" file.

Check that the "try_cert_auth" or "require_cert_auth" options are configured in both "/etc/pam.d/system-auth" and "/etc/pam.d/smartcard-auth" files with the following command:

$ sudo grep cert_auth /etc/sssd/sssd.conf /etc/pam.d/*

/etc/sssd/sssd.conf:pam_cert_auth = True
/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth
/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth

If "pam_cert_auth" is not set to "true" in "/etc/sssd/sssd.conf", this is a finding.

If "pam_sss.so" is not set to "try_cert_auth" or "require_cert_auth" in both the "/etc/pam.d/smartcard-auth" and "/etc/pam.d/system-auth" files, this is a finding.

Vulnerability Number

V-230372

Documentable

False

Rule Version

RHEL-08-020250

Severity Override Guidance

Verify RHEL 8 uses multifactor authentication for local access to accounts.

Note: If the System Administrator demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.

Check that the "pam_cert_auth" setting is set to "true" in the "/etc/sssd/sssd.conf" file.

Check that the "try_cert_auth" or "require_cert_auth" options are configured in both "/etc/pam.d/system-auth" and "/etc/pam.d/smartcard-auth" files with the following command:

$ sudo grep cert_auth /etc/sssd/sssd.conf /etc/pam.d/*

/etc/sssd/sssd.conf:pam_cert_auth = True
/etc/pam.d/smartcard-auth:auth sufficient pam_sss.so try_cert_auth
/etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth

If "pam_cert_auth" is not set to "true" in "/etc/sssd/sssd.conf", this is a finding.

If "pam_sss.so" is not set to "try_cert_auth" or "require_cert_auth" in both the "/etc/pam.d/smartcard-auth" and "/etc/pam.d/system-auth" files, this is a finding.

Check Content Reference

M

Target Key

2921

Comments