Verify that 'use_mappers' is set to 'pwent' in PAM

An XCCDF Rule

Description

The operating system must map the authenticated identity to the user or group account for PKI-based authentication. Verify that use_mappers is set to pwent in /etc/pam_pkcs11/pam_pkcs11.conf file with the following command:

$ grep ^use_mappers /etc/pam_pkcs11/pam_pkcs11.conf

use_mappers = pwent

Rationale

Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.

ID: xccdf_org.ssgproject.content_rule_verify_use_mappers
Severity: Low
References: CCI-000187

SRG-OS-000068-GPOS-00036

UBTU-20-010006

SV-238201r832933_rule
Updated: about 1 year ago

- name: Verify that 'use_mappers' is set to 'pwent' in PAM
  lineinfile:
    path: /etc/pam_pkcs11/pam_pkcs11.conf
    create: true
    line: use_mappers = pwent
    state: present  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-UBTU-20-010006
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
  - verify_use_mappers

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [ -e "/etc/pam_pkcs11/pam_pkcs11.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*use_mappers = pwent/Id" "/etc/pam_pkcs11/pam_pkcs11.conf"else
    touch "/etc/pam_pkcs11/pam_pkcs11.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/pam_pkcs11/pam_pkcs11.conf"

cp "/etc/pam_pkcs11/pam_pkcs11.conf" "/etc/pam_pkcs11/pam_pkcs11.conf.bak"
# Insert at the end of the file
printf '%s\n' "use_mappers = pwent" >> "/etc/pam_pkcs11/pam_pkcs11.conf"
# Clean up after ourselves.
rm "/etc/pam_pkcs11/pam_pkcs11.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify that 'use_mappers' is set to 'pwent' in PAM

Description

Rationale

Remediation - Ansible

Remediation - Shell Script