|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
|
|
|
fe0dde |
index 9fb218a0f7..a056742417 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
|
|
|
fe0dde |
@@ -42,3 +42,5 @@ ocil: |-
|
|
|
fe0dde |
$ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf
|
|
|
fe0dde |
The output should return the following with a correctly configured CA cert path:
|
|
|
fe0dde |
ldap_tls_cacert /path/to/tls/ca.cert
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+platform: sssd-ldap
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
fe0dde |
index a6e8eeaad3..202fc7f444 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
|
|
|
fe0dde |
@@ -3,39 +3,6 @@
|
|
|
fe0dde |
# strategy = unknown
|
|
|
fe0dde |
# complexity = low
|
|
|
fe0dde |
# disruption = medium
|
|
|
fe0dde |
-- (xccdf-var var_sssd_ldap_tls_ca_dir)
|
|
|
fe0dde |
+{{{ ansible_instantiate_variables("var_sssd_ldap_tls_ca_dir") }}}
|
|
|
fe0dde |
|
|
|
fe0dde |
-- name: "Test for domain group"
|
|
|
fe0dde |
- command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
|
|
|
fe0dde |
- register: test_grep_domain
|
|
|
fe0dde |
- ignore_errors: yes
|
|
|
fe0dde |
- changed_when: False
|
|
|
fe0dde |
- check_mode: no
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-- name: "Add default domain group and set CA directory (if no domain there)"
|
|
|
fe0dde |
- ini_file:
|
|
|
fe0dde |
- path: /etc/sssd/sssd.conf
|
|
|
fe0dde |
- section: "{{ item.section }}"
|
|
|
fe0dde |
- option: "{{ item.option }}"
|
|
|
fe0dde |
- value: "{{ item.value }}"
|
|
|
fe0dde |
- create: yes
|
|
|
fe0dde |
- mode: 0600
|
|
|
fe0dde |
- with_items:
|
|
|
fe0dde |
- - { section: sssd, option: domains, value: default}
|
|
|
fe0dde |
- - { section: domain/default, option: id_provider, value: files }
|
|
|
fe0dde |
- - { section: domain/default, option: ldap_tls_cacertdir, value: "{{ var_sssd_ldap_tls_ca_dir }}" }
|
|
|
fe0dde |
- when:
|
|
|
fe0dde |
- - test_grep_domain.stdout is defined
|
|
|
fe0dde |
- - test_grep_domain.stdout | length < 1
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-- name: "Configure LDAPs path to CA directory"
|
|
|
fe0dde |
- ini_file:
|
|
|
fe0dde |
- path: /etc/sssd/sssd.conf
|
|
|
fe0dde |
- section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
|
|
|
fe0dde |
- option: ldap_tls_cacertdir
|
|
|
fe0dde |
- value: "{{ var_sssd_ldap_tls_ca_dir }}"
|
|
|
fe0dde |
- create: yes
|
|
|
fe0dde |
- mode: 0600
|
|
|
fe0dde |
- when:
|
|
|
fe0dde |
- - test_grep_domain.stdout is defined
|
|
|
fe0dde |
- - test_grep_domain.stdout | length > 0
|
|
|
fe0dde |
+{{{ ansible_sssd_ldap_config(parameter="ldap_tls_cacertdir", value="{{ var_sssd_ldap_tls_ca_dir }}") }}}
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh
|
|
|
fe0dde |
index 91464ef04c..8a0d04ad78 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh
|
|
|
fe0dde |
@@ -2,20 +2,7 @@
|
|
|
fe0dde |
|
|
|
fe0dde |
# Include source function library.
|
|
|
fe0dde |
. /usr/share/scap-security-guide/remediation_functions
|
|
|
fe0dde |
-populate var_sssd_ldap_tls_ca_dir
|
|
|
fe0dde |
|
|
|
fe0dde |
-SSSD_CONF="/etc/sssd/sssd.conf"
|
|
|
fe0dde |
-LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_cacertdir'
|
|
|
fe0dde |
-DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
|
|
|
fe0dde |
+{{{ bash_instantiate_variables("var_sssd_ldap_tls_ca_dir") }}}
|
|
|
fe0dde |
|
|
|
fe0dde |
-# Try find [domain/..] and ldap_tls_cacertdir in sssd.conf, if it exists, set to CA directory
|
|
|
fe0dde |
-# if it isn't here, add it, if [domain/..] doesn't exist, add it here for default domain
|
|
|
fe0dde |
-if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
|
|
|
fe0dde |
- sed -i "s~ldap_tls_cacertdir[^(\n)]*~ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir~" $SSSD_CONF
|
|
|
fe0dde |
-elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
|
|
|
fe0dde |
- sed -i "/$DOMAIN_REGEX/a ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" $SSSD_CONF
|
|
|
fe0dde |
-else
|
|
|
fe0dde |
- mkdir -p /etc/sssd
|
|
|
fe0dde |
- touch $SSSD_CONF
|
|
|
fe0dde |
- echo -e "[domain/default]\nldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" >> $SSSD_CONF
|
|
|
fe0dde |
-fi
|
|
|
fe0dde |
+{{{ bash_sssd_ldap_config(parameter="ldap_tls_cacertdir", value="$var_sssd_ldap_tls_ca_dir") }}}
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
|
|
|
fe0dde |
index d554bc6f18..570aa1baf9 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
|
|
|
fe0dde |
@@ -28,11 +28,11 @@ identifiers:
|
|
|
fe0dde |
cce@rhel8: CCE-82456-5
|
|
|
fe0dde |
|
|
|
fe0dde |
references:
|
|
|
fe0dde |
- stigid@ol7: OL07-00-040190
|
|
|
fe0dde |
+ stigid@ol7: OL07-00-040200
|
|
|
fe0dde |
disa: CCI-001453
|
|
|
fe0dde |
nist: SC-12(3),CM-6(a)
|
|
|
fe0dde |
srg: SRG-OS-000250-GPOS-00093
|
|
|
fe0dde |
- stigid@rhel7: RHEL-07-040190
|
|
|
fe0dde |
+ stigid@rhel7: RHEL-07-040200
|
|
|
fe0dde |
|
|
|
fe0dde |
ocil_clause: 'the TLS CA cert is not configured'
|
|
|
fe0dde |
|
|
|
fe0dde |
@@ -42,3 +42,5 @@ ocil: |-
|
|
|
fe0dde |
$ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf
|
|
|
fe0dde |
The output should return the following with a correctly configured CA cert path:
|
|
|
fe0dde |
ldap_tls_cacertdir /path/to/tls/cacert
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+platform: sssd-ldap
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh
|
|
|
fe0dde |
index 82e56d89a6..ebd2a37df8 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh
|
|
|
fe0dde |
@@ -4,4 +4,7 @@
|
|
|
fe0dde |
. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
setup_correct_sssd_config
|
|
|
fe0dde |
|
|
|
fe0dde |
+yum -y install /usr/lib/systemd/system/sssd.service
|
|
|
fe0dde |
+systemctl enable sssd
|
|
|
fe0dde |
+
|
|
|
fe0dde |
sed -i '/\[domain/d' /etc/sssd/sssd.conf
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh
|
|
|
fe0dde |
index 82bff74acf..99ca3f8fba 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh
|
|
|
fe0dde |
@@ -3,3 +3,6 @@
|
|
|
fe0dde |
|
|
|
fe0dde |
. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
setup_correct_sssd_config
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+yum -y install /usr/lib/systemd/system/sssd.service
|
|
|
fe0dde |
+systemctl enable sssd
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh
|
|
|
fe0dde |
index 8e06bfae6b..5fb3609015 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh
|
|
|
fe0dde |
@@ -4,5 +4,8 @@
|
|
|
fe0dde |
. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
setup_correct_sssd_config
|
|
|
fe0dde |
|
|
|
fe0dde |
+yum -y install /usr/lib/systemd/system/sssd.service
|
|
|
fe0dde |
+systemctl enable sssd
|
|
|
fe0dde |
+
|
|
|
fe0dde |
sed -i 's:\(ldap_tls_cacertdir = \).*:\1/tmp/etc/openldap/cacerts:g' /etc/sssd/sssd.conf
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh
|
|
|
fe0dde |
index 58b1324e09..9dd958933d 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh
|
|
|
fe0dde |
@@ -4,4 +4,7 @@
|
|
|
fe0dde |
. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
setup_correct_sssd_config
|
|
|
fe0dde |
|
|
|
fe0dde |
+yum -y install /usr/lib/systemd/system/sssd.service
|
|
|
fe0dde |
+systemctl enable sssd
|
|
|
fe0dde |
+
|
|
|
fe0dde |
sed -i 's:\(ldap_tls_cacertdir = \)/:\1:g' /etc/sssd/sssd.conf
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh
|
|
|
fe0dde |
index 38e88a1dc4..5a09eaf52f 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh
|
|
|
fe0dde |
@@ -4,4 +4,7 @@
|
|
|
fe0dde |
. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
setup_correct_sssd_config
|
|
|
fe0dde |
|
|
|
fe0dde |
+yum -y install /usr/lib/systemd/system/sssd.service
|
|
|
fe0dde |
+systemctl enable sssd
|
|
|
fe0dde |
+
|
|
|
fe0dde |
sed -i '/ldap_tls_cacertdir/d' /etc/sssd/sssd.conf
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
fe0dde |
index 07f4b1ea5a..b38bc41fe3 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
|
|
|
fe0dde |
@@ -4,44 +4,4 @@
|
|
|
fe0dde |
# complexity = low
|
|
|
fe0dde |
# disruption = medium
|
|
|
fe0dde |
|
|
|
fe0dde |
-- name: "Set LDAP to be used for authentication"
|
|
|
fe0dde |
- lineinfile:
|
|
|
fe0dde |
- path: /etc/sysconfig/authconfig
|
|
|
fe0dde |
- regexp: '^USELDAPAUTH='
|
|
|
fe0dde |
- line: 'USELDAPAUTH=yes'
|
|
|
fe0dde |
- create: yes
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-- name: "Test for domain group"
|
|
|
fe0dde |
- command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
|
|
|
fe0dde |
- register: test_grep_domain
|
|
|
fe0dde |
- ignore_errors: yes
|
|
|
fe0dde |
- changed_when: False
|
|
|
fe0dde |
- check_mode: no
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-- name: "Add default domain group and use STARTTLS (if no domain there)"
|
|
|
fe0dde |
- ini_file:
|
|
|
fe0dde |
- path: /etc/sssd/sssd.conf
|
|
|
fe0dde |
- section: "{{ item.section }}"
|
|
|
fe0dde |
- option: "{{ item.option }}"
|
|
|
fe0dde |
- value: "{{ item.value }}"
|
|
|
fe0dde |
- create: yes
|
|
|
fe0dde |
- mode: 0600
|
|
|
fe0dde |
- with_items:
|
|
|
fe0dde |
- - { section: sssd, option: domains, value: default}
|
|
|
fe0dde |
- - { section: domain/default, option: id_provider, value: files }
|
|
|
fe0dde |
- - { section: domain/default, option: ldap_id_use_start_tls, value: true}
|
|
|
fe0dde |
- when:
|
|
|
fe0dde |
- - test_grep_domain.stdout is defined
|
|
|
fe0dde |
- - test_grep_domain.stdout | length < 1
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-- name: "Configure LDAP to use STARTTLS"
|
|
|
fe0dde |
- ini_file:
|
|
|
fe0dde |
- path: /etc/sssd/sssd.conf
|
|
|
fe0dde |
- section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
|
|
|
fe0dde |
- option: ldap_id_use_start_tls
|
|
|
fe0dde |
- value: true
|
|
|
fe0dde |
- create: yes
|
|
|
fe0dde |
- mode: 0600
|
|
|
fe0dde |
- when:
|
|
|
fe0dde |
- - test_grep_domain.stdout is defined
|
|
|
fe0dde |
- - test_grep_domain.stdout | length > 0
|
|
|
fe0dde |
+{{{ ansible_sssd_ldap_config(parameter="ldap_id_use_start_tls", value="true") }}}
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh
|
|
|
fe0dde |
index 4b1d3d2544..805f7ad326 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh
|
|
|
fe0dde |
@@ -3,27 +3,5 @@
|
|
|
fe0dde |
# Include source function library.
|
|
|
fe0dde |
. /usr/share/scap-security-guide/remediation_functions
|
|
|
fe0dde |
|
|
|
fe0dde |
-AUTHCONFIG="/etc/sysconfig/authconfig"
|
|
|
fe0dde |
-USELDAPAUTH_REGEX="^USELDAPAUTH="
|
|
|
fe0dde |
-SSSD_CONF="/etc/sssd/sssd.conf"
|
|
|
fe0dde |
-LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls'
|
|
|
fe0dde |
-DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
|
|
|
fe0dde |
+{{{ bash_sssd_ldap_config(parameter="ldap_id_use_start_tls", value="true") }}}
|
|
|
fe0dde |
|
|
|
fe0dde |
-# Try find USELDAPAUTH in authconfig. If its here set to 'yes', otherwise append USELDAPAUTH=yes
|
|
|
fe0dde |
-grep -qs "^USELDAPAUTH=" "$AUTHCONFIG" && sed -i 's/^USELDAPAUTH=.*/USELDAPAUTH=yes/g' $AUTHCONFIG
|
|
|
fe0dde |
-if ! [ $? -eq 0 ]; then
|
|
|
fe0dde |
- echo "USELDAPAUTH=yes" >> $AUTHCONFIG
|
|
|
fe0dde |
-fi
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-# Try find [domain/..] and ldap_id_use_start_tls in sssd.conf, if it exists, set to 'True'
|
|
|
fe0dde |
-# if ldap_id_use_start_tls isn't here, add it
|
|
|
fe0dde |
-# if [domain/..] doesn't exist, add it here for default domain
|
|
|
fe0dde |
-if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
|
|
|
fe0dde |
- sed -i 's/ldap_id_use_start_tls[^(\n)]*/ldap_id_use_start_tls = True/' $SSSD_CONF
|
|
|
fe0dde |
-elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
|
|
|
fe0dde |
- sed -i "/$DOMAIN_REGEX/a ldap_id_use_start_tls = True" $SSSD_CONF
|
|
|
fe0dde |
-else
|
|
|
fe0dde |
- mkdir -p /etc/sssd
|
|
|
fe0dde |
- touch $SSSD_CONF
|
|
|
fe0dde |
- echo -e "[domain/default]\nldap_id_use_start_tls = True" >> $SSSD_CONF
|
|
|
fe0dde |
-fi
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
|
|
|
fe0dde |
index a196220340..ed502062e4 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
|
|
|
fe0dde |
@@ -2,40 +2,23 @@
|
|
|
fe0dde |
<definition class="compliance" id="sssd_ldap_start_tls" version="1">
|
|
|
fe0dde |
<metadata>
|
|
|
fe0dde |
<title>Configure SSSD LDAP Backend to Use TLS For All Transactions</title>
|
|
|
fe0dde |
- <affected family="unix">
|
|
|
fe0dde |
- <platform>multi_platform_wrlinux</platform>
|
|
|
fe0dde |
- <platform>multi_platform_rhel</platform>
|
|
|
fe0dde |
- <platform>multi_platform_ol</platform>
|
|
|
fe0dde |
- </affected>
|
|
|
fe0dde |
+ {{{- oval_affected(products) }}}
|
|
|
fe0dde |
<description>LDAP should be used for authentication and use STARTTLS</description>
|
|
|
fe0dde |
</metadata>
|
|
|
fe0dde |
- <criteria operator="AND">
|
|
|
fe0dde |
- <criterion comment="Using LDAP for authentication set within /etc/sysconfig/authconfig" test_ref="test_use_ldap_authentication" />
|
|
|
fe0dde |
+ <criteria>
|
|
|
fe0dde |
<criterion comment="LDAP uses STARTTLS set within /etc/sssd/sssd.conf" test_ref="test_use_starttls" />
|
|
|
fe0dde |
</criteria>
|
|
|
fe0dde |
</definition>
|
|
|
fe0dde |
|
|
|
fe0dde |
-
|
|
|
fe0dde |
- comment="Ensures that LDAP is being used for authentication"
|
|
|
fe0dde |
- id="test_use_ldap_authentication" version="1">
|
|
|
fe0dde |
- <ind:object object_ref="object_use_ldap_authentication_authconfig" />
|
|
|
fe0dde |
- </ind:textfilecontent54_test>
|
|
|
fe0dde |
-
|
|
|
fe0dde |
|
|
|
fe0dde |
comment="Ensures that LDAP uses STARTTLS"
|
|
|
fe0dde |
id="test_use_starttls" version="1">
|
|
|
fe0dde |
<ind:object object_ref="object_use_starttls_sssd_conf" />
|
|
|
fe0dde |
</ind:textfilecontent54_test>
|
|
|
fe0dde |
|
|
|
fe0dde |
- <ind:textfilecontent54_object id="object_use_ldap_authentication_authconfig" version="1">
|
|
|
fe0dde |
- <ind:filepath>/etc/sysconfig/authconfig</ind:filepath>
|
|
|
fe0dde |
- <ind:pattern operation="pattern match">^USELDAPAUTH=((?i)yes)[ ]*$</ind:pattern>
|
|
|
fe0dde |
- <ind:instance datatype="int">1</ind:instance>
|
|
|
fe0dde |
- </ind:textfilecontent54_object>
|
|
|
fe0dde |
-
|
|
|
fe0dde |
<ind:textfilecontent54_object id="object_use_starttls_sssd_conf" version="1">
|
|
|
fe0dde |
<ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
|
|
|
fe0dde |
- <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_id_use_start_tls[ ]*=[ ]*((?i)true)[ ]*$</ind:pattern>
|
|
|
fe0dde |
+ <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_id_use_start_tls[ \t]*=[ \t]*((?i)true)[ \t]*$</ind:pattern>
|
|
|
fe0dde |
<ind:instance datatype="int">1</ind:instance>
|
|
|
fe0dde |
</ind:textfilecontent54_object>
|
|
|
fe0dde |
</def-group>
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
|
|
|
fe0dde |
index b81a8b8ff5..452de1d014 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
|
|
|
fe0dde |
@@ -5,15 +5,14 @@ prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019
|
|
|
fe0dde |
title: 'Configure SSSD LDAP Backend to Use TLS For All Transactions'
|
|
|
fe0dde |
|
|
|
fe0dde |
description: |-
|
|
|
fe0dde |
- This check verifies that {{{ full_name }}} implements cryptography
|
|
|
fe0dde |
- to protect the integrity of remote LDAP authentication sessions.
|
|
|
fe0dde |
+ The LDAP client should be configured to implement TLS for the integrity
|
|
|
fe0dde |
+ of all remote LDAP authentication sessions. If the <tt>id_provider</tt> is
|
|
|
fe0dde |
+ set to <tt>ldap</tt> or <tt>ipa</tt> in <tt>/etc/sssd/sssd.conf</tt> or any of the
|
|
|
fe0dde |
+ <tt>/etc/sssd/sssd.conf.d</tt> configuration files, <tt>ldap_id_use_start_tls</tt>
|
|
|
fe0dde |
+ must be set to <tt>true</tt>.
|
|
|
fe0dde |
|
|
|
fe0dde |
- To determine if LDAP is being used for authentication, use the following
|
|
|
fe0dde |
- command:
|
|
|
fe0dde |
- $ sudo grep -i useldapauth /etc/sysconfig/authconfig
|
|
|
fe0dde |
-
|
|
|
fe0dde |
- If <tt>USELDAPAUTH=yes</tt>, then LDAP is being used. To check if LDAP is
|
|
|
fe0dde |
- configured to use TLS, use the following command:
|
|
|
fe0dde |
+ To check if LDAP is configured to use TLS when <tt>id_provider</tt> is
|
|
|
fe0dde |
+ set to <tt>ldap</tt> or <tt>ipa</tt>, use the following command:
|
|
|
fe0dde |
$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf
|
|
|
fe0dde |
|
|
|
fe0dde |
rationale: |-
|
|
|
fe0dde |
@@ -41,8 +40,10 @@ references:
|
|
|
fe0dde |
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
|
|
|
fe0dde |
cis-csc: 11,12,14,15,3,8,9
|
|
|
fe0dde |
|
|
|
fe0dde |
-ocil_clause: 'the ''ldap_id_use_start_tls'' option is not set to ''True'''
|
|
|
fe0dde |
+ocil_clause: 'the ''ldap_id_use_start_tls'' option is not set to ''true'''
|
|
|
fe0dde |
|
|
|
fe0dde |
ocil: |-
|
|
|
fe0dde |
If the system is not using TLS, set the <tt>ldap_id_use_start_tls</tt> option
|
|
|
fe0dde |
- in <tt>/etc/sssd/sssd.conf</tt> to <tt>True</tt>.
|
|
|
fe0dde |
+ in <tt>/etc/sssd/sssd.conf</tt> to <tt>true</tt>.
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+platform: sssd-ldap
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ad_id_provider_and_tls_false.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ad_id_provider_and_tls_false.notapplicable.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..83ae606ece
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ad_id_provider_and_tls_false.notapplicable.sh
|
|
|
fe0dde |
@@ -0,0 +1,11 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
+setup_correct_sssd_config
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+yum -y install /usr/lib/systemd/system/sssd.service
|
|
|
fe0dde |
+systemctl enable sssd
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+sed -i 's/ldap_id_use_start_tls = true/ldap_id_use_start_tls = false/I' /etc/sssd/sssd.conf
|
|
|
fe0dde |
+sed -i 's/id_provider = ldap/id_provider = ad/I' /etc/sssd/sssd.conf
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value.pass.sh
|
|
|
fe0dde |
similarity index 50%
|
|
|
fe0dde |
rename from linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_not_there.fail.sh
|
|
|
fe0dde |
rename to linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value.pass.sh
|
|
|
fe0dde |
index 75a80d37cc..99ca3f8fba 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_not_there.fail.sh
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value.pass.sh
|
|
|
fe0dde |
@@ -2,6 +2,7 @@
|
|
|
fe0dde |
# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
|
|
|
fe0dde |
. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
-setup_correct_auth_and_sssd_configs
|
|
|
fe0dde |
+setup_correct_sssd_config
|
|
|
fe0dde |
|
|
|
fe0dde |
-sed -i '/USELDAPAUTH/d' /etc/sysconfig/authconfig
|
|
|
fe0dde |
+yum -y install /usr/lib/systemd/system/sssd.service
|
|
|
fe0dde |
+systemctl enable sssd
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/id_provider_is_set_to_ad.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/id_provider_is_set_to_ad.notapplicable.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..9ec246444f
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/id_provider_is_set_to_ad.notapplicable.sh
|
|
|
fe0dde |
@@ -0,0 +1,10 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
+setup_correct_sssd_config
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+yum -y install /usr/lib/systemd/system/sssd.service
|
|
|
fe0dde |
+systemctl enable sssd
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+sed -i 's/id_provider = ldap/id_provider = ad/I' /etc/sssd/sssd.conf
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_id_provider_and_tls_false.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_id_provider_and_tls_false.fail.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..f0942ddf74
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_id_provider_and_tls_false.fail.sh
|
|
|
fe0dde |
@@ -0,0 +1,10 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
+setup_correct_sssd_config
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+yum -y install /usr/lib/systemd/system/sssd.service
|
|
|
fe0dde |
+systemctl enable sssd
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+sed -i 's/ldap_id_use_start_tls = true/ldap_id_use_start_tls = false/I' /etc/sssd/sssd.conf
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_false.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_false.fail.sh
|
|
|
fe0dde |
deleted file mode 100644
|
|
|
fe0dde |
index 4bbf0ad01a..0000000000
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_false.fail.sh
|
|
|
fe0dde |
+++ /dev/null
|
|
|
fe0dde |
@@ -1,7 +0,0 @@
|
|
|
fe0dde |
-#!/bin/bash
|
|
|
fe0dde |
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
-setup_correct_auth_and_sssd_configs
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-sed -i 's/ldap_id_use_start_tls = True/ldap_id_use_start_tls = False/' /etc/sssd/sssd.conf
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh
|
|
|
fe0dde |
index 0ce168ed97..3952176952 100644
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh
|
|
|
fe0dde |
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh
|
|
|
fe0dde |
@@ -2,6 +2,9 @@
|
|
|
fe0dde |
# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
|
|
|
fe0dde |
. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
-setup_correct_auth_and_sssd_configs
|
|
|
fe0dde |
+setup_correct_sssd_config
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+yum -y install /usr/lib/systemd/system/sssd.service
|
|
|
fe0dde |
+systemctl enable sssd
|
|
|
fe0dde |
|
|
|
fe0dde |
sed -i '/ldap_id_use_start_tls/d' /etc/sssd/sssd.conf
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_and_start_tls.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_and_start_tls.pass.sh
|
|
|
fe0dde |
deleted file mode 100644
|
|
|
fe0dde |
index f8ca33b8d4..0000000000
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_and_start_tls.pass.sh
|
|
|
fe0dde |
+++ /dev/null
|
|
|
fe0dde |
@@ -1,5 +0,0 @@
|
|
|
fe0dde |
-#!/bin/bash
|
|
|
fe0dde |
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
-setup_correct_auth_and_sssd_configs
|
|
|
fe0dde |
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_no.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_no.fail.sh
|
|
|
fe0dde |
deleted file mode 100644
|
|
|
fe0dde |
index 64b0c21c28..0000000000
|
|
|
fe0dde |
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_no.fail.sh
|
|
|
fe0dde |
+++ /dev/null
|
|
|
fe0dde |
@@ -1,7 +0,0 @@
|
|
|
fe0dde |
-#!/bin/bash
|
|
|
fe0dde |
-# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-. $SHARED/setup_config_files.sh
|
|
|
fe0dde |
-setup_correct_auth_and_sssd_configs
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-sed -i 's/USELDAPAUTH=yes/USELDAPAUTH=no/' /etc/sysconfig/authconfig
|
|
|
fe0dde |
diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
|
|
|
fe0dde |
index 5d4691aaf6..59c5c728aa 100644
|
|
|
fe0dde |
--- a/ol7/cpe/ol7-cpe-dictionary.xml
|
|
|
fe0dde |
+++ b/ol7/cpe/ol7-cpe-dictionary.xml
|
|
|
fe0dde |
@@ -76,4 +76,8 @@
|
|
|
fe0dde |
<title xml:lang="en-us">System uses zipl</title>
|
|
|
fe0dde |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
|
|
fe0dde |
</cpe-item>
|
|
|
fe0dde |
+ <cpe-item name="cpe:/a:sssd-ldap">
|
|
|
fe0dde |
+ <title xml:lang="en-us">SSSD is configured to use LDAP</title>
|
|
|
fe0dde |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
|
|
|
fe0dde |
+ </cpe-item>
|
|
|
fe0dde |
</cpe-list>
|
|
|
fe0dde |
diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
|
|
|
fe0dde |
index 35167b1f70..473ba36235 100644
|
|
|
fe0dde |
--- a/ol8/cpe/ol8-cpe-dictionary.xml
|
|
|
fe0dde |
+++ b/ol8/cpe/ol8-cpe-dictionary.xml
|
|
|
fe0dde |
@@ -71,4 +71,8 @@
|
|
|
fe0dde |
<title xml:lang="en-us">System uses zipl</title>
|
|
|
fe0dde |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
|
|
fe0dde |
</cpe-item>
|
|
|
fe0dde |
+ <cpe-item name="cpe:/a:sssd-ldap">
|
|
|
fe0dde |
+ <title xml:lang="en-us">SSSD is configured to use LDAP</title>
|
|
|
fe0dde |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
|
|
|
fe0dde |
+ </cpe-item>
|
|
|
fe0dde |
</cpe-list>
|
|
|
fe0dde |
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
|
|
|
fe0dde |
index bc2aa869e8..e6b88f55cd 100644
|
|
|
fe0dde |
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
|
|
|
fe0dde |
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
|
|
|
fe0dde |
@@ -106,4 +106,8 @@
|
|
|
fe0dde |
<title xml:lang="en-us">System uses zipl</title>
|
|
|
fe0dde |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
|
|
fe0dde |
</cpe-item>
|
|
|
fe0dde |
+ <cpe-item name="cpe:/a:sssd-ldap">
|
|
|
fe0dde |
+ <title xml:lang="en-us">SSSD is configured to use LDAP</title>
|
|
|
fe0dde |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
|
|
|
fe0dde |
+ </cpe-item>
|
|
|
fe0dde |
</cpe-list>
|
|
|
fe0dde |
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
|
|
|
fe0dde |
index 41745ea4c3..3d8647de70 100644
|
|
|
fe0dde |
--- a/rhel7/profiles/stig.profile
|
|
|
fe0dde |
+++ b/rhel7/profiles/stig.profile
|
|
|
fe0dde |
@@ -235,6 +235,7 @@ selections:
|
|
|
fe0dde |
- accounts_tmout
|
|
|
fe0dde |
- sshd_enable_warning_banner
|
|
|
fe0dde |
- sssd_ldap_start_tls
|
|
|
fe0dde |
+ - sssd_ldap_start_tls.severity=medium
|
|
|
fe0dde |
- sssd_ldap_configure_tls_ca_dir
|
|
|
fe0dde |
- sssd_ldap_configure_tls_ca
|
|
|
fe0dde |
- sysctl_kernel_randomize_va_space
|
|
|
fe0dde |
diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
|
|
|
fe0dde |
index eab827291f..699251868d 100644
|
|
|
fe0dde |
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
|
|
|
fe0dde |
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
|
|
|
fe0dde |
@@ -76,4 +76,8 @@
|
|
|
fe0dde |
<title xml:lang="en-us">System uses zipl</title>
|
|
|
fe0dde |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
|
|
fe0dde |
</cpe-item>
|
|
|
fe0dde |
+ <cpe-item name="cpe:/a:sssd-ldap">
|
|
|
fe0dde |
+ <title xml:lang="en-us">SSSD is configured to use LDAP</title>
|
|
|
fe0dde |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
|
|
|
fe0dde |
+ </cpe-item>
|
|
|
fe0dde |
</cpe-list>
|
|
|
fe0dde |
diff --git a/shared/checks/oval/sssd_conf_uses_ldap.xml b/shared/checks/oval/sssd_conf_uses_ldap.xml
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..985c1bd8ef
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/shared/checks/oval/sssd_conf_uses_ldap.xml
|
|
|
fe0dde |
@@ -0,0 +1,28 @@
|
|
|
fe0dde |
+<def-group>
|
|
|
fe0dde |
+ <definition class="inventory" id="sssd_conf_uses_ldap" version="1">
|
|
|
fe0dde |
+ <metadata>
|
|
|
fe0dde |
+ <title>SSSD is configured to use LDAP</title>
|
|
|
fe0dde |
+ <affected family="unix">
|
|
|
fe0dde |
+ <platform>multi_platform_all</platform>
|
|
|
fe0dde |
+ </affected>
|
|
|
fe0dde |
+ <description>Identification provider is not set to ad within /etc/sssd/sssd.conf</description>
|
|
|
fe0dde |
+ <reference ref_id="cpe:/a:sssd-ldap" source="CPE" />
|
|
|
fe0dde |
+ </metadata>
|
|
|
fe0dde |
+ <criteria>
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+ test_ref="test_id_provider_is_set_to_ad" negate="true"/>
|
|
|
fe0dde |
+ </criteria>
|
|
|
fe0dde |
+ </definition>
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+ comment="SSSD Configuration is set to use Active Directory"
|
|
|
fe0dde |
+ id="test_id_provider_is_set_to_ad" version="1">
|
|
|
fe0dde |
+ <ind:object object_ref="object_id_provider_is_set_to_ad"/>
|
|
|
fe0dde |
+ </ind:textfilecontent54_test>
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+ <ind:textfilecontent54_object id="object_id_provider_is_set_to_ad" version="1">
|
|
|
fe0dde |
+ <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
|
|
|
fe0dde |
+ <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$</ind:pattern>
|
|
|
fe0dde |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
fe0dde |
+ </ind:textfilecontent54_object>
|
|
|
fe0dde |
+</def-group>
|
|
|
fe0dde |
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
|
|
|
fe0dde |
index ecaf14ced9..babce11aff 100644
|
|
|
fe0dde |
--- a/shared/macros-oval.jinja
|
|
|
fe0dde |
+++ b/shared/macros-oval.jinja
|
|
|
fe0dde |
@@ -534,3 +534,29 @@
|
|
|
fe0dde |
<description>{{{ description }}}</description>
|
|
|
fe0dde |
</metadata>
|
|
|
fe0dde |
{{%- endmacro %}}
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+{{% macro bash_sssd_ldap_config(parameter, value) -%}}
|
|
|
fe0dde |
+SSSD_CONF="/etc/sssd/sssd.conf"
|
|
|
fe0dde |
+LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*{{{ parameter }}}'
|
|
|
fe0dde |
+AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'
|
|
|
fe0dde |
+DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep.
|
|
|
fe0dde |
+# Try to find [domain/..] and {{{ parameter }}} in sssd.conf, if it exists, set to '{{{ value }}}'
|
|
|
fe0dde |
+# if {{{ parameter }}} isn't here, add it
|
|
|
fe0dde |
+# if [domain/..] doesn't exist, add it here for default domain
|
|
|
fe0dde |
+if grep -qvzosP $AD_REGEX $SSSD_CONF; then
|
|
|
fe0dde |
+ if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
|
|
|
fe0dde |
+ sed -i "s#{{{ parameter }}}[^(\n)]*#{{{ parameter }}} = {{{ value }}}#" $SSSD_CONF
|
|
|
fe0dde |
+ elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
|
|
|
fe0dde |
+ sed -i "/$DOMAIN_REGEX/a {{{ parameter }}} = {{{ value }}}" $SSSD_CONF
|
|
|
fe0dde |
+ else
|
|
|
fe0dde |
+ if test -f "$SSSD_CONF"; then
|
|
|
fe0dde |
+ echo -e "[domain/default]\n{{{ parameter }}} = {{{ value }}}" >> $SSSD_CONF
|
|
|
fe0dde |
+ else
|
|
|
fe0dde |
+ echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2
|
|
|
fe0dde |
+ fi
|
|
|
fe0dde |
+ fi
|
|
|
fe0dde |
+fi
|
|
|
fe0dde |
+{{%- endmacro %}}
|
|
|
fe0dde |
diff --git a/ssg/constants.py b/ssg/constants.py
|
|
|
fe0dde |
index 3f9d7d37ce..2af2c580a2 100644
|
|
|
fe0dde |
--- a/ssg/constants.py
|
|
|
fe0dde |
+++ b/ssg/constants.py
|
|
|
fe0dde |
@@ -496,6 +496,7 @@
|
|
|
fe0dde |
"pam": "cpe:/a:pam",
|
|
|
fe0dde |
"login_defs": "cpe:/a:login_defs",
|
|
|
fe0dde |
"sssd": "cpe:/a:sssd",
|
|
|
fe0dde |
+ "sssd-ldap": "cpe:/a:sssd-ldap",
|
|
|
fe0dde |
"systemd": "cpe:/a:systemd",
|
|
|
fe0dde |
"yum": "cpe:/a:yum",
|
|
|
fe0dde |
"zipl": "cpe:/a:zipl",
|
|
|
fe0dde |
diff --git a/tests/shared/setup_config_files.sh b/tests/shared/setup_config_files.sh
|
|
|
fe0dde |
index 957eab77cb..5bee91890f 100644
|
|
|
fe0dde |
--- a/tests/shared/setup_config_files.sh
|
|
|
fe0dde |
+++ b/tests/shared/setup_config_files.sh
|
|
|
fe0dde |
@@ -1,15 +1,8 @@
|
|
|
fe0dde |
#!/bin/bash
|
|
|
fe0dde |
|
|
|
fe0dde |
-configs_dir="$( dirname "${BASH_SOURCE[0]}" )/example-configs"
|
|
|
fe0dde |
+configs_dir="$( dirname "${BASH_SOURCE[0]}" )"
|
|
|
fe0dde |
|
|
|
fe0dde |
setup_correct_sssd_config() {
|
|
|
fe0dde |
mkdir -p /etc/sssd
|
|
|
fe0dde |
cp "$configs_dir/sssd.conf" /etc/sssd/
|
|
|
fe0dde |
}
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-setup_correct_auth_and_sssd_configs() {
|
|
|
fe0dde |
- mkdir -p /etc/sysconfig
|
|
|
fe0dde |
- cp "$configs_dir/authconfig" /etc/sysconfig/
|
|
|
fe0dde |
-
|
|
|
fe0dde |
- setup_correct_sssd_config
|
|
|
fe0dde |
-}
|
|
|
fe0dde |
diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
|
|
|
fe0dde |
index ef7e803505..f32e69e118 100644
|
|
|
fe0dde |
--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
|
|
|
fe0dde |
+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
|
|
|
fe0dde |
@@ -75,4 +75,8 @@
|
|
|
fe0dde |
<title xml:lang="en-us">System uses zipl</title>
|
|
|
fe0dde |
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
|
|
|
fe0dde |
</cpe-item>
|
|
|
fe0dde |
+ <cpe-item name="cpe:/a:sssd-ldap">
|
|
|
fe0dde |
+ <title xml:lang="en-us">SSSD is configured to use LDAP</title>
|
|
|
fe0dde |
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
|
|
|
fe0dde |
+ </cpe-item>
|
|
|
fe0dde |
</cpe-list>
|