{"description": "To enable smart card authentication, consult the documentation at:\n<ul>\n\n</ul>\n\n\nFor guidance on enabling SSH to authenticate against a Common Access Card (CAC), consult documentation at:\n<ul>\n<li><b>\n    <a xmlns='http://www.w3.org/1999/xhtml' href='https://access.redhat.com/solutions/82273'>https://access.redhat.com/solutions/82273</a></b></li>\n</ul>", "rationale": "Smart card login provides two-factor authentication stronger than\nthat provided by a username and password combination. Smart cards leverage PKI\n(public key infrastructure) in order to provide and verify credentials.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-2(1)", "IA-2(2)", "IA-2(3)", "IA-2(4)", "IA-2(6)", "IA-2(7)", "IA-2(11)", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "pcidss": ["Req-8.3"], "srg": ["SRG-OS-000104-GPOS-00051", "SRG-OS-000106-GPOS-00053", "SRG-OS-000107-GPOS-00054", "SRG-OS-000108-GPOS-00055", "SRG-OS-000108-GPOS-00057", "SRG-OS-000108-GPOS-00058", "SRG-OS-000109-GPOS-00056", "SRG-OS-000376-GPOS-00161", "SRG-OS-000377-GPOS-00162"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "non-exempt accounts are not using CAC authentication", "ocil": "Interview the SA to determine if all accounts not exempted by policy are\nusing CAC authentication. For DoD systems, the following systems and\naccounts are exempt from using smart card (CAC) authentication:\n<ul>\n<li>SIPRNET systems</li>\n<li>Standalone systems</li>\n<li>Application accounts</li>\n<li>Temporary employee accounts, such as students or interns, who cannot\neasily receive a CAC or PIV</li>\n<li>Operational tactical locations that are not collocated with RAPIDS\nworkstations to issue CAC or ALT</li>\n<li>Test systems, such as those with an Interim Approval to Test (IATT) and\nuse a separate VPN, firewall, or security measure preventing access to\nnetwork and system components from outside the protection boundary\ndocumented in the IATT.</li>\n</ul>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": ["not_s390x_arch"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["not_s390x_arch"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enable Smart Card Login", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-physical/screen_locking/smart_card_login/smartcard_auth/rule.yml", "template": null}