← Rules Catalog
mediumaccess-controlunverified

Ensure the CAC smart card driver is configured

cac-smartcard-driver · RHEL ≥ 10 · 1 impl

Description

RHEL 10 must load the common access card (CAC) smart card driver so that CAC/PIV-based multifactor authentication functions. When the opensc tooling is present this is verified automatically; when it is absent, manual confirmation is required of whether CAC is required in this environment.

Rationale

CAC/PIV smart cards provide DOD multifactor authentication. Without the "cac" card driver, the operating system cannot interpret the card, defeating the multifactor requirement.

Check → Remediate

Checkcommand
if ! command -v opensc-tool >/dev/null 2>&1; then
  echo "MANUAL REVIEW REQUIRED: opensc (smart card tooling) is not installed, so the CAC driver cannot be verified. If this system uses CAC/PIV authentication, install opensc and configure the 'cac' card driver; otherwise confirm CAC is not required here."
  exit 0
fi
drivers=$(opensc-tool --get-conf-entry app:default:card_drivers 2>/dev/null)
if printf '%s' "$drivers" | grep -qiw cac; then
  echo "OK: the CAC card driver is configured (card_drivers includes 'cac')"
  exit 0
fi
echo "FAIL: the 'cac' card driver is not listed in card_drivers"
exit 1
expected_exit:
0
Remediatemanual
note:
Add "cac" to the card_drivers list in /etc/opensc.conf under app default { card_drivers = cac, ...; } so the CAC driver is loaded.

Framework references

STIG

V-280976 / RHEL-10-200621

NIST 800-53

IA-2(1)IA-2(2)
#authentication#smartcard#cac#opensc#stig#manual