inspec-profile-disa_stig-el7 icon indicating copy to clipboard operation
inspec-profile-disa_stig-el7 copied to clipboard

Published 20 hours ago verified publisher icon simp

V-71965 Utilizes authconfig

Open Bialogs opened this issue 6 years ago • 2 comments

V-71965 utilizes authconfig to perform a check if smartcard for login is enabled.

describe command("authconfig --test | grep -i smartcard") do

Unfortunately authconfig does not really exist on SIMP systems...

$ cat /sbin/authconfig
#!/bin/sh
# This file is managed by Puppet. DO NOT EDIT.

# authconfig cannot be used to generate equivalent,
# security-compliant, PAM configuration as that created by
# SIMP.  To prevent an administrator from inadvertently
# corrupting PAM configuration by using /usr/sbin/authconfig,
# /usr/sbin/authconfig-tui or tools that call them, SIMP has
# replaced the original authconfig and authconfig-tui links
# with links to this no-op script.

/bin/true

Therefore this control needs to look at the configuration directly.

Bialogs avatar Feb 07 '19 22:02 Bialogs

I'm not sure if looking in /etc/sysconfig/authconfig for USESMARTCARD=no|yes is a good alternative. What other places does one check to confirm smartcard authentication is on?

Bialogs avatar Feb 07 '19 23:02 Bialogs

@Bialogs You'll have to delve the PAM stack directly (which is the correct answer anyway since people can fake out the check as it stands)

trevor-vaughan avatar Feb 28 '19 21:02 trevor-vaughan