{"description": "SSSD should be configured to authenticate access to the system using smart cards.\nTo enable smart cards in SSSD, set <tt>pam_cert_auth</tt> to <tt>True</tt> under the\n<tt>[pam]</tt> section in <tt>/etc/sssd/sssd.conf</tt>. For example:\n<pre>[pam]\npam_cert_auth = True\n</pre>", "rationale": "Using an authentication device, such as a CAC or token that is separate from\nthe information system, ensures that even if the information system is\ncompromised, that compromise will not affect credentials stored on the\nauthentication device.\n<br /><br />\nMulti-Factor Authentication (MFA) solutions that require devices separate from\ninformation systems gaining access include, for example, hardware tokens\nproviding time-based or challenge-response authenticators and smart cards\nor similar secure authentication devices issued by an organization or identity provider.", "severity": "medium", "references": {"pcidss": ["Req-8.3"], "srg": ["SRG-OS-000375-GPOS-00160", "SRG-OS-000105-GPOS-00052", "SRG-OS-000106-GPOS-00053", "SRG-OS-000107-GPOS-00054", "SRG-OS-000108-GPOS-00055"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"]}, "control_references": {"ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"]}, "components": [], "identifiers": {}, "ocil_clause": "smart cards are not enabled in SSSD", "ocil": "To verify that smart cards are enabled in SSSD, run the following command:\n<pre>$ sudo grep pam_cert_auth /etc/sssd/sssd.conf</pre>\nIf configured properly, output should be\n<pre>pam_cert_auth = True</pre>", "oval_external_content": null, "fixtext": "Edit the file \"/etc/sssd/sssd.conf\" and add or edit the following line:\n\npam_cert_auth = True", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must implement smart card logon for multifactor authentication for access to interactive accounts.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must enable certificate based smart card authentication.", "vuldiscussion": "Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication.", "checktext": "Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is Not Applicable.\n\nTo verify that Ubuntu 22.04 has smart cards  enabled in System Security Services Daemon (SSSD), run the following command:\n\n$ sudo grep -ir pam_cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/\n\npam_cert_auth = True\n\nIf \"pam_cert_auth\" is not set to \"True\", the line is commented out, or the line is missing, this is a finding.", "fixtext": "Edit the file \"/etc/sssd/sssd.conf\" or a configuration file in \"/etc/sssd/conf.d\" and add or edit the following line:\n\npam_cert_auth = True"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[sssd]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_sssd"], "bash_conditional": null, "fixes": {}, "title": "Enable Smartcards in SSSD", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/sssd/sssd_enable_smartcards/rule.yml", "template": null}