The system _MUST_ be configured to enforce multifactor authentication when the sudo command is used to elevate privilege. All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system. NOTE: /etc/pam.d/sudo will be automatically modified to its original state following any update or major upgrade to the operating system. Setting the default value to "yes" will mess up services like SSH, if smart card authentication is not set up in the machine Fix: Add the following lines in /etc/pam.d/sudo file: auth sufficient pam_smartcard.so auth required pam_deny.so

[yes/no]

Add the following lines in /etc/pam.d/sudo file: auth sufficient pam_smartcard.so auth required pam_deny.so