Puppet Class: cis_security_hardening::rules::gdm_mfa

Defined in:
manifests/rules/gdm_mfa.pp

Summary

Ensure users must authenticate users using MFA via a graphical user logon

Overview

The operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon.

Rationale: To assure accountability and prevent unauthenticated access, users must be identified and authenticated to prevent potential misuse and compromise of the system.

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card.

Satisfies: SRG-OS-000375-GPOS-00161,SRG-OS-000375-GPOS-00162

Examples:

class { 'cis_security_hardening::rules::gdm_mfa':
  enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule



26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'manifests/rules/gdm_mfa.pp', line 26

class cis_security_hardening::rules::gdm_mfa (
  Boolean $enforce = false,
) {
  $gnome_gdm = fact('cis_security_hardening.gnome_gdm')
  if  $enforce and $gnome_gdm != undef and $gnome_gdm {
    file { '/etc/dconf/db/local.d/00-defaults':
      ensure => file,
      owner  => 'root',
      group  => 'root',
      mode   => '0644',
    }

    file_line { 'mfa':
      ensure             => present,
      path               => '/etc/dconf/db/local.d/00-defaults',
      match              => '^enable-smartcard-authentication',
      line               => 'enable-smartcard-authentication=true',
      append_on_no_match => true,
      require            => File['/etc/dconf/db/local.d/00-defaults'],
    }
  }
}