RHEL 9 must use the common access card (CAC) smart card driver.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258121 | RHEL-09-611160 | SV-258121r1102086_rule | CCI-000764 | medium |
| Description | ||||
| Smart card login provides two-factor authentication stronger than that provided by a username and password combination. Smart cards leverage public key infrastructure to provide and verify credentials. Configuring the smart card driver in use by the organization helps to prevent users from using unauthorized smart cards. Satisfies: SRG-OS-000104-GPOS-00051, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000109-GPOS-00056, SRG-OS-000108-GPOS-00055, SRG-OS-000112-GPOS-00057, SRG-OS-000113-GPOS-00058 | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2025-05-14 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
IA-2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.5.1
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000764
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-258121r1102086_chk)
Verify that RHEL loads the CAC driver with the following command:
$ sudo opensc-tool --get-conf-entry app:default:card_drivers cac
cac
If "cac" is not listed as a card driver, or no line is returned for "card_drivers", this is a finding.
Fix Text (F-61786r1045242_fix)
Configure RHEL 9 to load the CAC driver.
$ sudo opensc-tool --set-conf-entry app:default:card_driver:cac
Restart the pcscd service to apply the changes:
$ sudo systemctl restart pcscd