skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Files

  1.   7f349f640d51d38a60f9292c89076e646ba9e6fc
  2.   SOURCES
  3.   scap-security-guide-0.1.53-add_stig_RHEL_07_040190-PR_6044.patch
Blob Blame History Raw 
From a89f73985d5d92acc75229004bafdc931f5ed750 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 3 Sep 2020 18:09:53 +0200
Subject: [PATCH 1/2] Introduce new rule sssd_ldap_configure_tls_reqcert.

---
 .../ansible/shared.yml                        |  6 +++
 .../bash/shared.sh                            |  6 +++
 .../oval/shared.xml                           | 24 ++++++++++++
 .../sssd_ldap_configure_tls_reqcert/rule.yml  | 39 +++++++++++++++++++
 ...rovider_and_reqcert_never.notapplicable.sh |  7 ++++
 .../tests/correct_value.pass.sh               |  5 +++
 .../id_provider_is_set_to_ad.notapplicable.sh |  6 +++
 ...ldap_id_provider_and_reqcert_never.fail.sh |  6 +++
 .../tests/ldap_tls_reqcert_not_there.fail.sh  |  6 +++
 rhel7/profiles/stig.profile                   |  1 +
 shared/references/cce-redhat-avail.txt        |  2 -
 tests/shared/sssd.conf                        |  1 +
 12 files changed, 107 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml
 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh
 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh
 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh
 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh
 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh
 create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml
new file mode 100644
index 0000000000..891b3e2f97
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml
@@ -0,0 +1,6 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+# reboot = false
+# strategy = unknown
+# complexity = low
+# disruption = medium
+{{{ ansible_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand") }}}
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh
new file mode 100644
index 0000000000..62c2febc46
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand") }}}
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
new file mode 100644
index 0000000000..9d3db0488f
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
@@ -0,0 +1,24 @@
+<def-group>
+  <definition class="compliance" id="sssd_ldap_configure_tls_reqcert" version="1">
+    <metadata>
+      <title>Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server</title>
+      {{{- oval_affected(products) }}}
+      <description>Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.</description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="test_sssd_ldap_tls_reqcert" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist"
+  comment="Ensures that LDAP TLS requires certificate is set"
+  id="test_sssd_ldap_tls_reqcert" version="1">
+    <ind:object object_ref="object_sssd_ldap_tls_reqcert" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_sssd_ldap_tls_reqcert" version="1">
+    <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_tls_reqcert[ \t]*=[ \t]*((?i)demand)[ \t]*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
new file mode 100644
index 0000000000..4dee11bcfb
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019
+
+title: 'Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server'
+
+description: |-
+    Configure SSSD to demand a valid certificate from the server to
+    protect the integrity of LDAP remote access sessions. By setting
+    the <pre>ldap_tls_reqcert</pre> option in <pre>/etc/sssd/sssd.conf</pre>
+    to <tt>demand</tt>.
+
+rationale: |-
+    Without a valid certificate presented to the LDAP client backend, the identity of a
+    server can be forged compromising LDAP remote access sessions.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-84061-1
+    cce@rhel8: CCE-84062-9
+
+references:
+    stigid@ol7: OL07-00-040190
+    disa: CCI-001453
+    nist: SC-12(3),CM-6(a)
+    srg: SRG-OS-000250-GPOS-00093
+    stigid@rhel7: RHEL-07-040190
+
+ocil_clause: 'the TLS reqcert is not set to demand'
+
+ocil: |-
+    To verify the LDAP client backend demands a valid certificate from the server in
+    remote ldap access sessions, run the following command:
+    <pre>$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf</pre>
+    The output should return the following:
+    <pre>ldap_tls_reqcert = demand</pre>
+
+platform: sssd-ldap
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh
new file mode 100644
index 0000000000..3b82743f8d
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
+sed -i 's/ldap_tls_reqcert = demand/ldap_id_use_start_tls = never/' /etc/sssd/sssd.conf
+sed -i 's/id_provider = ldap/id_provider = ad/' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..82bff74acf
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh
new file mode 100644
index 0000000000..21f3af4c96
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
+sed -i 's/id_provider = ldap/id_provider = ad/' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh
new file mode 100644
index 0000000000..0fe620475e
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
+sed -i 's/ldap_tls_reqcert = demand/ldap_id_use_start_tls = never/' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh
new file mode 100644
index 0000000000..0e01fafb6f
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
+sed -i '/ldap_tls_reqcert/d' /etc/sssd/sssd.conf
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index b820d30608..1b41b85857 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -236,6 +236,7 @@ selections:
     - sssd_ldap_start_tls.severity=medium
     - sssd_ldap_configure_tls_ca_dir
     - sssd_ldap_configure_tls_ca
+    - sssd_ldap_configure_tls_reqcert
     - sysctl_kernel_randomize_va_space
     - package_openssh-server_installed
     - sshd_required=yes
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 4609b82680..7ab5eb179e 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -650,8 +650,6 @@ CCE-84057-9
 CCE-84058-7
 CCE-84059-5
 CCE-84060-3
-CCE-84061-1
-CCE-84062-9
 CCE-84063-7
 CCE-84064-5
 CCE-84065-2
diff --git a/tests/shared/sssd.conf b/tests/shared/sssd.conf
index dc51456425..6903a25d37 100644
--- a/tests/shared/sssd.conf
+++ b/tests/shared/sssd.conf
@@ -9,6 +9,7 @@ ldap_search_base = dc=com
 ldap_tls_cacertdir = /etc/openldap/cacerts
 cache_credentials = True
 krb5_store_password_if_offline = True
+ldap_tls_reqcert = demand
 
 
 [sssd]

From daf742ec9dad984e17e8a99bd7793bc9f44a32c4 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 21 Sep 2020 17:24:08 +0200
Subject: [PATCH 2/2] Use oval_metadata macro and update text of rule
 sssd_ldap_configure_tls_reqcert.

---
 .../sssd_ldap_configure_tls_reqcert/oval/shared.xml        | 7 ++-----
 .../sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml     | 4 ++--
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
index 9d3db0488f..688cf17abb 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
@@ -1,10 +1,7 @@
 <def-group>
   <definition class="compliance" id="sssd_ldap_configure_tls_reqcert" version="1">
-    <metadata>
-      <title>Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server</title>
-      {{{- oval_affected(products) }}}
-      <description>Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.</description>
-    </metadata>
+    {{{ oval_metadata("Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.",
+        title="Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server") }}}
     <criteria>
       <criterion test_ref="test_sssd_ldap_tls_reqcert" />
     </criteria>
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
index 4dee11bcfb..731b7c0846 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml
@@ -6,7 +6,7 @@ title: 'Configure SSSD LDAP Backend Client to Demand a Valid Certificate from th
 
 description: |-
     Configure SSSD to demand a valid certificate from the server to
-    protect the integrity of LDAP remote access sessions. By setting
+    protect the integrity of LDAP remote access sessions by setting
     the <pre>ldap_tls_reqcert</pre> option in <pre>/etc/sssd/sssd.conf</pre>
     to <tt>demand</tt>.
 
@@ -31,7 +31,7 @@ ocil_clause: 'the TLS reqcert is not set to demand'
 
 ocil: |-
     To verify the LDAP client backend demands a valid certificate from the server in
-    remote ldap access sessions, run the following command:
+    remote LDAP access sessions, run the following command:
     <pre>$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf</pre>
     The output should return the following:
     <pre>ldap_tls_reqcert = demand</pre>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation