Install Smart Card Packages For Multifactor Authentication

An XCCDF Rule

Description

Configure the operating system to implement multifactor authentication by installing the required package with the following command: The pam_pkcs11 package can be installed with the following command:

$ sudo zypper install pam_pkcs11

The mozilla-nss package can be installed with the following command:

$ sudo zypper install mozilla-nss

The mozilla-nss-tools package can be installed with the following command:

$ sudo zypper install mozilla-nss-tools

The pcsc-ccid package can be installed with the following command:

$ sudo zypper install pcsc-ccid

The pcsc-lite package can be installed with the following command:

$ sudo zypper install pcsc-lite

The pcsc-tools package can be installed with the following command:

$ sudo zypper install pcsc-tools

The opensc package can be installed with the following command:

$ sudo zypper install opensc

The coolkey package can be installed with the following command:

$ sudo zypper install coolkey

Rationale

Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.

ID: xccdf_org.ssgproject.content_rule_install_smartcard_packages
Severity: Medium
References: CCI-000765 CCI-001948 CCI-001953 CCI-001954

CM-6(a)

Req-8.3

SRG-OS-000105-GPOS-00052 SRG-OS-000375-GPOS-00160 SRG-OS-000375-GPOS-00161 SRG-OS-000377-GPOS-00162

SLES-12-030500

CCE-83177-6

SV-217299r854165_rule
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { ! grep -q s390x /proc/sys/kernel/osrelease; }; then

SMARTCARD_PACKAGES=( "pam_pkcs11"  "mozilla-nss"  "mozilla-nss-tools"  "pcsc-ccid"  "pcsc-lite"  "pcsc-tools"  "opensc" "coolkey")

for PKGNAME in "${SMARTCARD_PACKAGES[@]}"do
    zypper install -y "$PKGNAME"
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Set smartcard packages fact
  set_fact:
    smartcard_packages:
    - pam_pkcs11
    - mozilla-nss
    - mozilla-nss-tools    - pcsc-ccid
    - pcsc-lite
    - pcsc-tools
    - opensc
    - coolkey
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture != "s390x"
  tags:
  - CCE-83177-6
  - DISA-STIG-SLES-12-030500
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.3
  - enable_strategy
  - install_smartcard_packages
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure {{ smartcard_packages }} are installed
  package:
    name: '{{ smartcard_packages }}'
    state: present
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_architecture != "s390x"
  tags:
  - CCE-83177-6
  - DISA-STIG-SLES-12-030500
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.3
  - enable_strategy
  - install_smartcard_packages
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Install Smart Card Packages For Multifactor Authentication

Description

Rationale

Remediation - Shell Script

Remediation - Ansible