STIGQter: STIG Summary: Oracle Linux 7 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Oracle Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.

DISA Rule

SV-221703r603260_rule

Vulnerability Number

V-221703

Group Title

SRG-OS-000104-GPOS-00051

Rule Version

OL07-00-010500

Severity

CAT II

CCI(s)

• CCI-000767 - The information system implements multifactor authentication for local access to privileged accounts.
• CCI-000768 - The information system implements multifactor authentication for local access to non-privileged accounts.
• CCI-000770 - The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Configure the operating system to require individuals to be authenticated with a multifactor authenticator.

Enable smartcard logons with the following commands:

# authconfig --enablesmartcard --smartcardaction=0 --update
# authconfig --enablerequiresmartcard -update

Modify the "/etc/pam_pkcs11/pkcs11_eventmgr.conf" file to uncomment the following line:

#/usr/X11R6/bin/xscreensaver-command -lock

Modify the "/etc/pam_pkcs11/pam_pkcs11.conf" file to use the cackey module if required.

Check Contents

Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.

Check to see if smartcard authentication is enforced on the system:

# authconfig --test | grep "pam_pkcs11 is enabled"

If no results are returned, this is a finding.

# authconfig --test | grep "smartcard removal action"

If "smartcard removal action" is blank, this is a finding.

# authconfig --test | grep "smartcard module"

If "smartcard module" is blank, this is a finding.

Vulnerability Number

V-221703

Documentable

False

Rule Version

OL07-00-010500

Severity Override Guidance

Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication.

Check to see if smartcard authentication is enforced on the system:

# authconfig --test | grep "pam_pkcs11 is enabled"

If no results are returned, this is a finding.

# authconfig --test | grep "smartcard removal action"

If "smartcard removal action" is blank, this is a finding.

# authconfig --test | grep "smartcard module"

If "smartcard module" is blank, this is a finding.

Check Content Reference

M

Target Key

4089

Comments