Verify that 'use_mappers' is set to 'pwent' in PAM
An XCCDF Rule
Description
The operating system must map the authenticated identity to the user or group account for PKI-based authentication. Verify thatuse_mappers is set to pwent in
/etc/pam_pkcs11/pam_pkcs11.conf file with the following command:
$ grep ^use_mappers /etc/pam_pkcs11/pam_pkcs11.conf use_mappers = pwent
Rationale
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
- ID
- xccdf_org.ssgproject.content_rule_verify_use_mappers
- Severity
- Low
- Updated
Remediation Templates
An Ansible Snippet
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-UBTU-20-010006
- low_complexityA Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then
if [ -e "/etc/pam_pkcs11/pam_pkcs11.conf" ] ; then
LC_ALL=C sed -i "/^\s*use_mappers = pwent/Id" "/etc/pam_pkcs11/pam_pkcs11.conf"