Signed-off-by: Jeffrey Blank <blank(a)eclipse.ncsc.mil>
---
RHEL6/input/system/accounts/physical.xml | 40 +++++++++++++++++++++--------
1 files changed, 29 insertions(+), 11 deletions(-)
diff --git a/RHEL6/input/system/accounts/physical.xml
b/RHEL6/input/system/accounts/physical.xml
index 16fe989..a72921d 100644
--- a/RHEL6/input/system/accounts/physical.xml
+++ b/RHEL6/input/system/accounts/physical.xml
@@ -349,25 +349,43 @@ for users who may need to suspend console logins.
</Group>
<Group id="smart_card_login">
-<title>Using Smart Cards for System Login</title>
+<title>Hardware Tokens for Authentication</title>
<description>
-The use of smart cards, like Common Access Cards (CAC), for system login
+The use of hardware tokens such as smart cards for system login
provides stronger, two-factor authentication than using a username/password.
-Smart cards take advantage of Public Key Infrastructure (PKI) to store
-encrypted digital certificates that can be used to authenticate the card
-owner.
-<br /><br />
-In Red Hat Enterprise Linux servers and workstations, smart card login
+In Red Hat Enterprise Linux servers and workstations, hardware token login
is not enabled by default and must be enabled in the system settings.
-Detailed procedures on how to configure a system to use smart card
-authentication for login can be found in the Red Hat Documentation web site:
+</description>
+
+<Rule id="smartcard_auth">
+<title>Enable Smart Card Login</title>
+<description>
+To enable smart card authentication, consult the documentation at:
<ul>
<
li>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/...
</ul>
-It is recommended to use smart cards wherever feasible as part of a multifactor
-authentication system.
</description>
+<ocil clause="non-exempt accounts are not using CAC authentication">
+Interview the SA to determine if all accounts not exempted by policy are
+using CAC authentication.
+For DoD systems, the following systems and accounts are exempt from using
+smart card (CAC) authentication:
+<ul>
+<li>SIPRNET systems</li> <!-- also any other non-Internet systems? -->
+<li>Standalone systems</li>
+<li>Application accounts</li>
+<li>Temporary employee accounts, such as students or interns, who cannot easily
receive a CAC or PIV</li>
+<li>Operational tactical locations that are not collocated with RAPIDS workstations
to issue CAC or ALT</li>
+<li>Test systems, such as those with an Interim Approval to Test (IATT) and use a
separate VPN, firewall, or security measure preventing access to network and system
components from outside the protection boundary documented in the IATT.</li>
+</ul>
+</ocil>
+<rationale>Smart card login provides two-factor authentication stronger than
+that provided by a username/password combination. Smart cards leverage a PKI
+(public key infrastructure) in order to provide and verify credentials.
+</rationale>
<ref disa="765,766,767,768,771,772,884" />
+</Rule>
+
</Group>
</Group>
--
1.7.1