From a89f73985d5d92acc75229004bafdc931f5ed750 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Thu, 3 Sep 2020 18:09:53 +0200

Subject: [PATCH 1/2] Introduce new rule sssd_ldap_configure_tls_reqcert.

---

 .../ansible/shared.yml                        |  6 +++

 .../bash/shared.sh                            |  6 +++

 .../oval/shared.xml                           | 24 ++++++++++++

 .../sssd_ldap_configure_tls_reqcert/rule.yml  | 39 +++++++++++++++++++

 ...rovider_and_reqcert_never.notapplicable.sh |  7 ++++

 .../tests/correct_value.pass.sh               |  5 +++

 .../id_provider_is_set_to_ad.notapplicable.sh |  6 +++

 ...ldap_id_provider_and_reqcert_never.fail.sh |  6 +++

 .../tests/ldap_tls_reqcert_not_there.fail.sh  |  6 +++

 rhel7/profiles/stig.profile                   |  1 +

 shared/references/cce-redhat-avail.txt        |  2 -

 tests/shared/sssd.conf                        |  1 +

 12 files changed, 107 insertions(+), 2 deletions(-)

 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml

 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh

 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml

 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml

 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh

 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh

 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh

 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh

 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml

new file mode 100644

index 0000000000..891b3e2f97

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml

@@ -0,0 +1,6 @@

+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol

+# reboot = false

+# strategy = unknown

+# complexity = low

+# disruption = medium

+{{{ ansible_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand") }}}

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh

new file mode 100644

index 0000000000..62c2febc46

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh

@@ -0,0 +1,6 @@

+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol

+

+# Include source function library.

+. /usr/share/scap-security-guide/remediation_functions

+

+{{{ bash_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand") }}}

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml

new file mode 100644

index 0000000000..9d3db0488f

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml

@@ -0,0 +1,24 @@

+<def-group>

+  <definition class="compliance" id="sssd_ldap_configure_tls_reqcert" version="1">

+    <metadata>

+      <title>Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server</title>

+      {{{- oval_affected(products) }}}

+      <description>Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.</description>

+    </metadata>

+    <criteria>

+      <criterion test_ref="test_sssd_ldap_tls_reqcert" />

+    </criteria>

+  </definition>

+

+  

+  comment="Ensures that LDAP TLS requires certificate is set"

+  id="test_sssd_ldap_tls_reqcert" version="1">

+    <ind:object object_ref="object_sssd_ldap_tls_reqcert" />

+  </ind:textfilecontent54_test>

+

+  <ind:textfilecontent54_object id="object_sssd_ldap_tls_reqcert" version="1">

+    <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>

+    <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_tls_reqcert[ \t]*=[ \t]*((?i)demand)[ \t]*$</ind:pattern>

+    <ind:instance datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+</def-group>

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml

new file mode 100644

index 0000000000..4dee11bcfb

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml

@@ -0,0 +1,39 @@

+documentation_complete: true

+

+prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019

+

+title: 'Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server'

+

+description: |-

+    Configure SSSD to demand a valid certificate from the server to

+    protect the integrity of LDAP remote access sessions. By setting

+    the 
ldap_tls_reqcert
 option in 
/etc/sssd/sssd.conf

+    to <tt>demand</tt>.

+

+rationale: |-

+    Without a valid certificate presented to the LDAP client backend, the identity of a

+    server can be forged compromising LDAP remote access sessions.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: CCE-84061-1

+    cce@rhel8: CCE-84062-9

+

+references:

+    stigid@ol7: OL07-00-040190

+    disa: CCI-001453

+    nist: SC-12(3),CM-6(a)

+    srg: SRG-OS-000250-GPOS-00093

+    stigid@rhel7: RHEL-07-040190

+

+ocil_clause: 'the TLS reqcert is not set to demand'

+

+ocil: |-

+    To verify the LDAP client backend demands a valid certificate from the server in

+    remote ldap access sessions, run the following command:

+    
$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf

+    The output should return the following:

+    
ldap_tls_reqcert = demand

+

+platform: sssd-ldap

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh

new file mode 100644

index 0000000000..3b82743f8d

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+. $SHARED/setup_config_files.sh

+setup_correct_sssd_config

+sed -i 's/ldap_tls_reqcert = demand/ldap_id_use_start_tls = never/' /etc/sssd/sssd.conf

+sed -i 's/id_provider = ldap/id_provider = ad/' /etc/sssd/sssd.conf

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh

new file mode 100644

index 0000000000..82bff74acf

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+. $SHARED/setup_config_files.sh

+setup_correct_sssd_config

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh

new file mode 100644

index 0000000000..21f3af4c96

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+. $SHARED/setup_config_files.sh

+setup_correct_sssd_config

+sed -i 's/id_provider = ldap/id_provider = ad/' /etc/sssd/sssd.conf

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh

new file mode 100644

index 0000000000..0fe620475e

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+. $SHARED/setup_config_files.sh

+setup_correct_sssd_config

+sed -i 's/ldap_tls_reqcert = demand/ldap_id_use_start_tls = never/' /etc/sssd/sssd.conf

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh

new file mode 100644

index 0000000000..0e01fafb6f

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh

@@ -0,0 +1,6 @@

+#!/bin/bash

+# profiles = xccdf_org.ssgproject.content_profile_stig

+

+. $SHARED/setup_config_files.sh

+setup_correct_sssd_config

+sed -i '/ldap_tls_reqcert/d' /etc/sssd/sssd.conf

diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile

index b820d30608..1b41b85857 100644

--- a/rhel7/profiles/stig.profile

+++ b/rhel7/profiles/stig.profile

@@ -236,6 +236,7 @@ selections:

     - sssd_ldap_start_tls.severity=medium

     - sssd_ldap_configure_tls_ca_dir

     - sssd_ldap_configure_tls_ca

+    - sssd_ldap_configure_tls_reqcert

     - sysctl_kernel_randomize_va_space

     - package_openssh-server_installed

     - sshd_required=yes

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 4609b82680..7ab5eb179e 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -650,8 +650,6 @@ CCE-84057-9

 CCE-84058-7

 CCE-84059-5

 CCE-84060-3

-CCE-84061-1

-CCE-84062-9

 CCE-84063-7

 CCE-84064-5

 CCE-84065-2

diff --git a/tests/shared/sssd.conf b/tests/shared/sssd.conf

index dc51456425..6903a25d37 100644

--- a/tests/shared/sssd.conf

+++ b/tests/shared/sssd.conf

@@ -9,6 +9,7 @@ ldap_search_base = dc=com

 ldap_tls_cacertdir = /etc/openldap/cacerts

 cache_credentials = True

 krb5_store_password_if_offline = True

+ldap_tls_reqcert = demand

 [sssd]

From daf742ec9dad984e17e8a99bd7793bc9f44a32c4 Mon Sep 17 00:00:00 2001

From: Gabriel Becker <ggasparb@redhat.com>

Date: Mon, 21 Sep 2020 17:24:08 +0200

Subject: [PATCH 2/2] Use oval_metadata macro and update text of rule

 sssd_ldap_configure_tls_reqcert.

---

 .../sssd_ldap_configure_tls_reqcert/oval/shared.xml        | 7 ++-----

 .../sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml     | 4 ++--

 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml

index 9d3db0488f..688cf17abb 100644

--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml

@@ -1,10 +1,7 @@

 <def-group>

   <definition class="compliance" id="sssd_ldap_configure_tls_reqcert" version="1">

-    <metadata>

-      <title>Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server</title>

-      {{{- oval_affected(products) }}}

-      <description>Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.</description>

-    </metadata>

+    {{{ oval_metadata("Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.",

+        title="Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server") }}}

     <criteria>

       <criterion test_ref="test_sssd_ldap_tls_reqcert" />

     </criteria>

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml

index 4dee11bcfb..731b7c0846 100644

--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml

+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml

@@ -6,7 +6,7 @@ title: 'Configure SSSD LDAP Backend Client to Demand a Valid Certificate from th

 description: |-

     Configure SSSD to demand a valid certificate from the server to

-    protect the integrity of LDAP remote access sessions. By setting

+    protect the integrity of LDAP remote access sessions by setting

     the 
ldap_tls_reqcert
 option in 
/etc/sssd/sssd.conf

     to <tt>demand</tt>.

@@ -31,7 +31,7 @@ ocil_clause: 'the TLS reqcert is not set to demand'

 ocil: |-

     To verify the LDAP client backend demands a valid certificate from the server in

-    remote ldap access sessions, run the following command:

+    remote LDAP access sessions, run the following command:

     
$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf

     The output should return the following:

     
ldap_tls_reqcert = demand