Puppet Class: cis_security_hardening::rules::pam_mfa
- Defined in:
- manifests/rules/pam_mfa.pp
Summary
Ensure smart card logins for multifactor authentication for local and network accessOverview
The operating system must implement smart card logins for multifactor authentication for local and network access to privileged and non-privileged accounts.
Rationale: Without the use of multifactor authentication, the ease of access to privileged functions is greatly increased.
Multifactor authentication requires using two or more factors to achieve authentication. Factors include:
-
something a user knows (e.g., password/PIN);
-
something a user has (e.g., cryptographic identification device, token); and
-
something a user is (e.g., biometric).
A privileged account is defined as an information system account with authorizations of a privileged user.
Network access is defined as access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, or the internet).
The DoD CAC with DoD-approved PKI is an example of multifactor authentication.
Satisfies: SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107- GPOS-00054, SRG-OS-000108-GPOS-00055
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# File 'manifests/rules/pam_mfa.pp', line 33
class cis_security_hardening::rules::pam_mfa (
Boolean $enforce = false
) {
if $enforce {
$path = ($facts['os']['name'] == 'SLES' and $facts['os']['release']['major'] == '12') ? {
true => '/usr/etc/ssh/sshd_config',
default => '/etc/ssh/sshd_config',
}
file_line { 'sshd-mfa-login':
ensure => present,
path => $path,
line => 'PubkeyAuthentication yes',
match => '^PubkeyAuthentication.*',
notify => Exec['reload-sshd'],
}
Pam { 'pam-common-mfa':
ensure => present,
service => 'common-auth',
type => 'auth',
control => '[success=2 default=ignore]',
control_is_param => true,
module => 'pam_pkcs11.so',
}
}
}
|