STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021:

The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.

DISA Rule

SV-204397r603261_rule

Vulnerability Number

V-204397

Group Title

SRG-OS-000375-GPOS-00160

Rule Version

RHEL-07-010061

Severity

CAT II

CCI(s)

• CCI-001948 - The information system implements multifactor authentication for remote access to privileged accounts such that one of the factors is provided by a device separate from the system gaining access.
• CCI-001953 - The information system accepts Personal Identity Verification (PIV) credentials.
• CCI-001954 - The information system electronically verifies Personal Identity Verification (PIV) credentials.

Weight

10

Fix Recommendation

Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon.

Note: If the system does not have GNOME installed, this requirement is Not Applicable.

Create a database to contain the system-wide screensaver settings (if it does not already exist) with the following command:

Note: The example is using the database local for the system, so if the system is using another database in "/etc/dconf/profile/user", the file should be created under the appropriate subdirectory.

# touch /etc/dconf/db/local.d/00-defaults

Edit "[org/gnome/login-screen]" and add or update the following line:
enable-smartcard-authentication=true

Update the system databases:
# dconf update

Check Contents

Verify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon.

Note: If the system does not have GNOME installed, this requirement is Not Applicable.

Determine which profile the system database is using with the following command:

# grep system-db /etc/dconf/profile/user

system-db:local

Note: The example is using the database local for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than local is being used.

# grep enable-smartcard-authentication /etc/dconf/db/local.d/*

enable-smartcard-authentication=true

If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.

Vulnerability Number

V-204397

Documentable

False

Rule Version

RHEL-07-010061

Severity Override Guidance

Verify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon.

Note: If the system does not have GNOME installed, this requirement is Not Applicable.

Determine which profile the system database is using with the following command:

# grep system-db /etc/dconf/profile/user

system-db:local

Note: The example is using the database local for the system, so the path is "/etc/dconf/db/local.d". This path must be modified if a database other than local is being used.

# grep enable-smartcard-authentication /etc/dconf/db/local.d/*

enable-smartcard-authentication=true

If "enable-smartcard-authentication" is set to "false" or the keyword is missing, this is a finding.

Check Content Reference

M

Target Key

2899

Comments