Signed-off-by: Jeffrey Blank <[email protected]> --- RHEL6/input/system/accounts/physical.xml | 40 +++++++++++++++++++++-------- 1 files changed, 29 insertions(+), 11 deletions(-)
diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index 16fe989..a72921d 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -349,25 +349,43 @@ for users who may need to suspend console logins. </Group> <Group id="smart_card_login"> -<title>Using Smart Cards for System Login</title> +<title>Hardware Tokens for Authentication</title> <description> -The use of smart cards, like Common Access Cards (CAC), for system login +The use of hardware tokens such as smart cards for system login provides stronger, two-factor authentication than using a username/password. -Smart cards take advantage of Public Key Infrastructure (PKI) to store -encrypted digital certificates that can be used to authenticate the card -owner. -<br /><br /> -In Red Hat Enterprise Linux servers and workstations, smart card login +In Red Hat Enterprise Linux servers and workstations, hardware token login is not enabled by default and must be enabled in the system settings. -Detailed procedures on how to configure a system to use smart card -authentication for login can be found in the Red Hat Documentation web site: +</description> + +<Rule id="smartcard_auth"> +<title>Enable Smart Card Login</title> +<description> +To enable smart card authentication, consult the documentation at: <ul> <li>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html</li> </ul> -It is recommended to use smart cards wherever feasible as part of a multifactor -authentication system. </description> +<ocil clause="non-exempt accounts are not using CAC authentication"> +Interview the SA to determine if all accounts not exempted by policy are +using CAC authentication. +For DoD systems, the following systems and accounts are exempt from using +smart card (CAC) authentication: +<ul> +<li>SIPRNET systems</li> <!-- also any other non-Internet systems? --> +<li>Standalone systems</li> +<li>Application accounts</li> +<li>Temporary employee accounts, such as students or interns, who cannot easily receive a CAC or PIV</li> +<li>Operational tactical locations that are not collocated with RAPIDS workstations to issue CAC or ALT</li> +<li>Test systems, such as those with an Interim Approval to Test (IATT) and use a separate VPN, firewall, or security measure preventing access to network and system components from outside the protection boundary documented in the IATT.</li> +</ul> +</ocil> +<rationale>Smart card login provides two-factor authentication stronger than +that provided by a username/password combination. Smart cards leverage a PKI +(public key infrastructure) in order to provide and verify credentials. +</rationale> <ref disa="765,766,767,768,771,772,884" /> +</Rule> + </Group> </Group> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
