srg_requirement: |-
    {{{ full_name }}} must enable certificate based smart card authentication.

vuldiscussion: |-
    Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased. Multifactor authentication requires using two or more factors to achieve authentication. A privileged account is defined as an information system account with authorizations of a privileged user. The DOD Common Access Card (CAC) with DOD-approved PKI is an example of multifactor authentication.



checktext: |-
    Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is Not Applicable.

    To verify that {{{ full_name }}} has smart cards  enabled in System Security Services Daemon (SSSD), run the following command:

    $ sudo grep -ir pam_cert_auth /etc/sssd/sssd.conf /etc/sssd/conf.d/

    pam_cert_auth = True

    If "pam_cert_auth" is not set to "True", the line is commented out, or the line is missing, this is a finding.

fixtext: |-
    Edit the file "/etc/sssd/sssd.conf" or a configuration file in "/etc/sssd/conf.d" and add or edit the following line:

    pam_cert_auth = True