mediumaccess-controlunverified
Ensure the CAC smart card driver is configured
cac-smartcard-driver · RHEL ≥ 10 · 1 impl
Description
RHEL 10 must load the common access card (CAC) smart card driver so that CAC/PIV-based multifactor authentication functions. When the opensc tooling is present this is verified automatically; when it is absent, manual confirmation is required of whether CAC is required in this environment.
Rationale
CAC/PIV smart cards provide DOD multifactor authentication. Without the "cac" card driver, the operating system cannot interpret the card, defeating the multifactor requirement.
Check → Remediate
Checkcommand
if ! command -v opensc-tool >/dev/null 2>&1; then echo "MANUAL REVIEW REQUIRED: opensc (smart card tooling) is not installed, so the CAC driver cannot be verified. If this system uses CAC/PIV authentication, install opensc and configure the 'cac' card driver; otherwise confirm CAC is not required here." exit 0 fi drivers=$(opensc-tool --get-conf-entry app:default:card_drivers 2>/dev/null) if printf '%s' "$drivers" | grep -qiw cac; then echo "OK: the CAC card driver is configured (card_drivers includes 'cac')" exit 0 fi echo "FAIL: the 'cac' card driver is not listed in card_drivers" exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Add "cac" to the card_drivers list in /etc/opensc.conf under app default { card_drivers = cac, ...; } so the CAC driver is loaded.
Framework references
STIG
V-280976 / RHEL-10-200621
NIST 800-53
IA-2(1)IA-2(2)
#authentication#smartcard#cac#opensc#stig#manual