Configure NSS DB To Use opensc

An XCCDF Rule

Description

The opensc module should be configured for use over the Coolkey PKCS#11 module in the NSS database. To configure the NSS database to use the opensc module, run the following command:

$ sudo pkcs11-switch opensc

warning alert: Warning

NSS modules information are stored in NSS database which is in binary format. Currently it is not possible to check NSS database using OVAL. This is the reason there is no OVAL check for this rule.

Rationale

Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.

ID: xccdf_org.ssgproject.content_rule_configure_opensc_nss_db
Severity: Medium
References: 1 12 15 16 5

DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.10

CCI-000765 CCI-000766 CCI-000767 CCI-000768 CCI-000771 CCI-000772 CCI-000884

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.2 4.3.3.7.4

SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1

A.18.1.4 A.7.1.1 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3

CM-6(a) IA-2(1) IA-2(11) IA-2(2) IA-2(3) IA-2(4) IA-2(6) IA-2(7)

PR.AC-1 PR.AC-6 PR.AC-7

Req-8.3

SRG-OS-000104-GPOS-00051 SRG-OS-000106-GPOS-00053 SRG-OS-000107-GPOS-00054 SRG-OS-000108-GPOS-00055 SRG-OS-000108-GPOS-00057 SRG-OS-000108-GPOS-00058 SRG-OS-000109-GPOS-00056
Updated: about 1 year ago

- name: Configure NSS DB To Use opensc - Check Existence of pkcs11-switch
  ansible.builtin.stat:
    path: /usr/bin/pkcs11-switch
  register: pkcs11switch
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2(1)
  - NIST-800-53-IA-2(11)
  - NIST-800-53-IA-2(2)
  - NIST-800-53-IA-2(3)
  - NIST-800-53-IA-2(4)
  - NIST-800-53-IA-2(6)
  - NIST-800-53-IA-2(7)
  - PCI-DSS-Req-8.3
  - configure_opensc_nss_db
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure NSS DB To Use opensc - Get NSS Database Smart Card Configuration
  ansible.builtin.command: /usr/bin/pkcs11-switch
  changed_when: true
  register: pkcsw_output
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - pkcs11switch.stat.exists
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2(1)
  - NIST-800-53-IA-2(11)
  - NIST-800-53-IA-2(2)
  - NIST-800-53-IA-2(3)
  - NIST-800-53-IA-2(4)
  - NIST-800-53-IA-2(6)
  - NIST-800-53-IA-2(7)
  - PCI-DSS-Req-8.3
  - configure_opensc_nss_db
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Configure NSS DB To Use opensc - Select opensc Module
  ansible.builtin.shell: echo -e "\n" | /usr/bin/pkcs11-switch opensc
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - pkcs11switch.stat.exists and pkcsw_output.stdout != "opensc"
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2(1)
  - NIST-800-53-IA-2(11)
  - NIST-800-53-IA-2(2)
  - NIST-800-53-IA-2(3)
  - NIST-800-53-IA-2(4)
  - NIST-800-53-IA-2(6)
  - NIST-800-53-IA-2(7)
  - PCI-DSS-Req-8.3
  - configure_opensc_nss_db
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

PKCSSW=$(/usr/bin/pkcs11-switch)

if [ ${PKCSSW} != "opensc" ] ; then    echo -e "\n" | ${PKCSSW} opensc
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure NSS DB To Use opensc

Description

Rationale

Remediation - Ansible

Remediation - Shell Script