Enable the pcscd Service

An XCCDF Rule

Description

The pcscd service can be enabled with the following command:

$ sudo systemctl enable pcscd.service

Rationale

Using an authentication device, such as a CAC or token that is separate from the information system, ensures that even if the information system is compromised, that compromise will not affect credentials stored on the authentication device.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.

ID: xccdf_org.ssgproject.content_rule_service_pcscd_enabled
Severity: Medium
References: CCI-001954

1382 1384 1386

CM-6(a) IA-2(1) IA-2(11) IA-2(2) IA-2(3) IA-2(4) IA-2(6) IA-2(7)

Req-8.3

SRG-OS-000375-GPOS-00160
Updated: about 1 year ago


[customizations.services]
enabled = ["pcscd"]

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'pcscd.service'
"$SYSTEMCTL_EXEC" start 'pcscd.service'"$SYSTEMCTL_EXEC" enable 'pcscd.service'

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Enable service pcscd
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto
  - name: Start service pcscd
    systemd:
      name: pcscd
      state: started
      masked: 'no'
    when:
    - '"pcsc-lite" in ansible_facts.packages'

  - name: Enable service pcscd
    ansible.builtin.command:
      cmd: systemctl enable pcscd
    when:
    - '"pcsc-lite" in ansible_facts.packages'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2(1)
  - NIST-800-53-IA-2(11)
  - NIST-800-53-IA-2(2)
  - NIST-800-53-IA-2(3)
  - NIST-800-53-IA-2(4)
  - NIST-800-53-IA-2(6)
  - NIST-800-53-IA-2(7)
  - PCI-DSS-Req-8.3
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_pcscd_enabled

include enable_pcscd

class enable_pcscd {
  service {'pcscd':
    enable => true,
    ensure => 'running',  }
}

Enable the pcscd Service

Description

Rationale

Remediation - OS Build Blueprint

Remediation - Shell Script

Remediation - Ansible

Remediation - Puppet