{"description": "This requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the\npurpose of configuring the device itself (management).\n\n\nAdd or update the following line in <tt>/etc/pam.d/common-auth</tt>,\nplacing it above any lines containing <tt>pam_unix.so</tt>:\n<pre>auth    [success=2 default=ignore] pam_pkcs11.so </pre>\n\n\nFor general information about enabling smart card authentication, consult\nthe documentation at:\n\n<ul>\n<li><b>\n    <a xmlns='http://www.w3.org/1999/xhtml' href='https://pages.ubuntu.com/rs/066-EOV-335/images/SmartCardLogin_WhitePapaer_04.03.20.pdf'>https://pages.ubuntu.com/rs/066-EOV-335/images/SmartCardLogin_WhitePapaer_04.03.20.pdf</a></b></li>\n</ul>", "rationale": "Smart card login provides two-factor authentication stronger than\nthat provided by a username and password combination. Smart cards leverage PKI\n(public key infrastructure) in order to provide and verify credentials.\n\nUsing an authentication device, such as a CAC or token that is separate\nfrom the information system, ensures that even if the information system is\ncompromised, that compromise will not affect credentials stored on the\nauthentication device.\n\nMultifactor solutions that require devices separate from information\nsystems gaining access include, for example, hardware tokens providing\ntime-based or challenge-response authenticators and smart cards\nor similar secure authentication devices issued by an organization or identity provider.", "severity": "medium", "references": {"srg": ["SRG-OS-000068-GPOS-00036", "SRG-OS-000105-GPOS-00052", "SRG-OS-000106-GPOS-00053", "SRG-OS-000107-GPOS-00054", "SRG-OS-000108-GPOS-00055", "SRG-OS-000375-GPOS-00160", "SRG-OS-000375-GPOS-00161", "SRG-OS-000375-GPOS-00162"], "stigid": ["UBTU-22-612020"], "stigref": ["SV-260575r1044770_rule"]}, "control_references": {"stigid": ["UBTU-22-612020"]}, "components": [], "identifiers": {}, "ocil_clause": "non-exempt accounts are not using CAC authentication", "ocil": "Remote access is access to nonpublic information systems by an\nauthorized user (or an information system) communicating through an\nexternal, non-organization-controlled network. Remote access methods\ninclude, for example, dial-up, broadband, and wireless.\n\nThis requirement only applies to components where this is specific to the\nfunction of the device or has the concept of an organizational user (e.g.,\nVPN, proxy capability). This does not apply to authentication for the\npurpose of configuring the device itself (management).\n\nCheck that the <tt>pam_pkcs11.so</tt> option is configured in the\n<tt>etc/pam.d/common-auth</tt> file with the following command:\n\n<pre># grep pam_pkcs11.so /etc/pam.d/common-auth\n\n\nauth [success=2 default=ignore] pam_pkcs11.so</pre>\n\n\nIf <tt>pam_pkcs11.so</tt> is not set in <tt>etc/pam.d/common-auth</tt> this\nis a finding.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable Smart Card Logins in PAM", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_pam_enabled/rule.yml", "template": null}