Skip to content

Instantly share code, notes, and snippets.

@ptitoliv ptitoliv/eval.xml
Last active Dec 26, 2017

Embed
What would you like to do?
Remediation test for smartcard packages installation
<Rule id="install_smartcard_packages" selected="false" severity="medium">
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Install Smart Card Packages For Multifactor Authentication</title>
<description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Configure the operating system to implement multifactor authentication by
installing the required packages with the following command:
<html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo yum install esc pam_pkcs11 authconfig-gtk</html:pre>
</description>
<reference href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001954</reference>
<reference href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000375-GPOS-00160</reference>
<reference href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-87041r2_rule</reference>
<rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
<html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/>
Multifactor solutions that require devices separate from
information systems gaining access include, for example, hardware tokens
providing time-based or challenge-response authenticators and smart cards such
as the U.S. Government Personal Identity Verification card and the DoD Common
Access Card.
</rationale>
<platform idref="cpe:/a:machine"/>
<fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="install_smartcard_packages" system="urn:xccdf:fix:script:sh"><ns0:sub xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" idref="function_package_command"/>
package_command install esc
package_command install pam_pkcs11
<ns0:sub xmlns:ns0="http://checklists.nist.gov/xccdf/1.1" idref="function_package_command"/>
package_command install authconfig-gtk
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref name="oval:ssg-install_smartcard_packages:def:1" href="ssg-rhel7-oval.xml"/>
</check>
<check system="http://scap.nist.gov/schema/ocil/2">
<check-content-ref name="ocil:ssg-install_smartcard_packages_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/>
</check>
</Rule>
# platform = multi_platform_rhel
. /usr/share/scap-security-guide/remediation_functions
package_command install esc
package_command install pam_pkcs11
package_command install authconfig-gtk
<def-group>
<definition class="compliance" id="install_smartcard_packages" version="1">
<metadata>
<title>Install needed packages for smartcard use.</title>
<affected family="unix">
<platform>Red Hat Enterprise Linux 7</platform>
</affected>
<description>The RPM packages esc pam_pkcs11 and authconfig-gtk must be installed.</description>
</metadata>
<criteria comment="packages for smartcard use are installed">
<extend_definition comment="pam_pkcs11 package is installed" definition_ref="package_pam_pkcs11_installed" />
<extend_definition comment="esc package is installed" definition_ref="package_esc_installed" />
<extend_definition comment="authconfig-gtk package is installed" definition_ref="package_authconfig-gtk_installed" />
</criteria>
</definition>
</def-group>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.