{"description": "In the default graphical environment, smart card authentication\ncan be enabled on the login screen by setting <tt>enable-smartcard-authentication</tt>\nto <tt>true</tt>.\n<br /><br />\nTo enable, add or edit <tt>enable-smartcard-authentication</tt> to\n<tt>/etc/dconf/db/gdm.d/00-security-settings</tt>. For example:\n<pre>[org/gnome/login-screen]\nenable-smartcard-authentication=true</pre>\nOnce the setting has been added, add a lock to\n<tt>/etc/dconf/db/gdm.d/locks/00-security-settings-lock</tt> to prevent user modification.\nFor example:\n<pre>/org/gnome/login-screen/enable-smartcard-authentication</pre>\nAfter the settings have been set, run <tt>dconf update</tt>.", "rationale": "Smart card login provides two-factor authentication stronger than\nthat provided by a username and password combination. Smart cards leverage PKI\n(public key infrastructure) in order to provide and verify credentials.", "severity": "medium", "references": {"nist": ["IA-2(3)", "IA-2(4)", "IA-2(8)", "IA-2(9)", "IA-2(11)"], "pcidss": ["Req-8.3"], "srg": ["SRG-OS-000375-GPOS-00160", "SRG-OS-000376-GPOS-00161", "SRG-OS-000377-GPOS-00162"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "enable-smartcard-authentication has not been configured or is disabled", "ocil": "To ensure smart card authentication on the login screen is enabled, run the following command:\n<pre>$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/*</pre>\nThe output should be <tt>true</tt>.\nTo ensure that users cannot disable smart card authentication on the login screen, run the following:\n<pre>$ grep enable-smartcard-authentication /etc/dconf/db/gdm.d/locks/*</pre>\nIf properly configured, the output should be <tt>/org/gnome/login-screen/enable-smartcard-authentication</tt>", "oval_external_content": null, "fixtext": "The dconf settings can be edited in the /etc/dconf/db/* location.\n\nFirst, add or update the [org/gnome/login-screen] section of the \"/etc/dconf/db/gdm.d/00-security-settings\" database file and add or update the following lines:\n\n[org/gnome/login-screen]\nenable-smartcard-authentication=true\n\nThen, add the following line to \"/etc/dconf/db/gdm.d/locks/00-security-settings-lock\" to prevent user modification:\n\n/org/gnome/login-screen/enable-smartcard-authentication\n\nFinally, update the dconf system databases:\n\n$ sudo dconf update", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[gdm]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_gdm"], "bash_conditional": null, "fixes": {}, "title": "Enable the GNOME3 Login Smartcard Authentication", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/gnome/gnome_login_screen/dconf_gnome_enable_smartcard_auth/rule.yml", "template": null}