Enable the GNOME3 Login Smartcard Authentication
An XCCDF Rule
Description
In the default graphical environment, smart card authentication
can be enabled on the login screen by setting enable-smartcard-authentication
to true
.
To enable, add or edit enable-smartcard-authentication
to
/etc/dconf/db/distro.d/00-security-settings
. For example:
[org/gnome/login-screen] enable-smartcard-authentication=trueOnce the setting has been added, add a lock to
/etc/dconf/db/distro.d/locks/00-security-settings-lock
to prevent user modification.
For example:
/org/gnome/login-screen/enable-smartcard-authenticationAfter the settings have been set, run
dconf update
.
Rationale
Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage PKI (public key infrastructure) in order to provide and verify credentials.
- ID
- xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-IA-2(11)
- NIST-800-53-IA-2(3)
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q gdm && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
# Check for setting in any of the DConf db directories
# If files contain ibus or distro, ignore them.
# The assignment assumes that individual filenames don't contain :