Blame SOURCES/scap-security-guide-0.1.58-RHEL_08_020090-PR_7313.patch

76240a
From 6eeef4054d707b8b255e9fa600c4c7babffbf5f7 Mon Sep 17 00:00:00 2001
76240a
From: Matthew Burket <mburket@redhat.com>
76240a
Date: Mon, 2 Aug 2021 08:37:04 -0500
76240a
Subject: [PATCH] Add rule for RHEL-08-020090
76240a
76240a
---
76240a
 .../sssd/sssd_enable_certmap/rule.yml         | 58 +++++++++++++++++++
76240a
 .../sssd_enable_certmap/tests/default.fail.sh |  4 ++
76240a
 .../tests/with_section.pass.sh                |  7 +++
76240a
 products/rhel8/profiles/stig.profile          |  1 +
76240a
 shared/references/cce-redhat-avail.txt        |  1 -
76240a
 .../data/profile_stability/rhel8/stig.profile |  1 +
76240a
 .../profile_stability/rhel8/stig_gui.profile  |  1 +
76240a
 7 files changed, 72 insertions(+), 1 deletion(-)
76240a
 create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml
76240a
 create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh
76240a
 create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh
76240a
76240a
diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml
76240a
new file mode 100644
76240a
index 0000000000..0614a2f4a0
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml
76240a
@@ -0,0 +1,58 @@
76240a
+documentation_complete: true
76240a
+
76240a
+prodtype: fedora,rhel8
76240a
+
76240a
+title: 'Enable Certmap in SSSD'
76240a
+
76240a
+description: |-
76240a
+   SSSD should be configured to verify the certificate of the user or group. To set this up
76240a
+    ensure that section like <tt>certmap/testing.test/rule_name</tt> is setup in
76240a
+   <tt>/etc/sssd/sssd.conf</tt>. For example
76240a
+   
76240a
+   [certmap/testing.test/rule_name]
76240a
+   matchrule =<SAN>.*EDIPI@mil
76240a
+   maprule = (userCertificate;binary={cert!bin})
76240a
+   domains = testing.test
76240a
+   
76240a
+
76240a
+rationale: |-
76240a
+   Without mapping the certificate used to authenticate to the user account, the ability to
76240a
+   determine the identity of the individual user or group will not be available for forensic
76240a
+   analysis.
76240a
+
76240a
+severity: medium
76240a
+
76240a
+identifiers:
76240a
+   cce@rhel8: CCE-86060-1
76240a
+
76240a
+references:
76240a
+   disa: CCI-000187
76240a
+   nist: IA-5 (2) (c)
76240a
+   stigid@rhel8: RHEL-08-020090
76240a
+
76240a
+warnings:
76240a
+    - general: |-
76240a
+        Automatic remediation of this control is not available, since all of the settings in
76240a
+        in the certmap need to be customized.
76240a
+
76240a
+ocil_clause: 'Certmap is not configured in SSSD'
76240a
+
76240a
+ocil: |-
76240a
+    To verify Certmap is enabled in SSSD, run the following command:
76240a
+    
$ cat sudo cat /etc/sssd/sssd.conf
76240a
+    If configured properly, output should contain section like the following
76240a
+    
76240a
+    [certmap/testing.test/rule_name]
76240a
+    matchrule =<SAN>.*EDIPI@mil
76240a
+    maprule = (userCertificate;binary={cert!bin})
76240a
+    domains = testing.test
76240a
+    
76240a
+
76240a
+template:
76240a
+    name: lineinfile
76240a
+    vars:
76240a
+      path: '/etc/sssd/sssd.conf'
76240a
+      text: '^\[certmap\/.+\/.+\]$'
76240a
+    backends:
76240a
+        ansible: "off"
76240a
+        bash: "off"
76240a
diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh
76240a
new file mode 100644
76240a
index 0000000000..1e31c0da19
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh
76240a
@@ -0,0 +1,4 @@
76240a
+#!/bin/bash
76240a
+
76240a
+touch /etc/sssd/sssd.conf
76240a
+sed -i "s/\[certmap.*//g" /etc/sssd/sssd.conf
76240a
diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh
76240a
new file mode 100644
76240a
index 0000000000..911e095f5d
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh
76240a
@@ -0,0 +1,7 @@
76240a
+#!/bin/bash
76240a
+cat >> /etc/sssd/sssd.conf<< EOF
76240a
+[certmap/testing.test/rule_name]
76240a
+matchrule =<SAN>.*EDIPI@mil
76240a
+maprule = (userCertificate;binary={cert!bin})
76240a
+domains = testing.test
76240a
+EOF
76240a
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
76240a
index f17a7b88b1..ec0a3b1753 100644
76240a
--- a/products/rhel8/profiles/stig.profile
76240a
+++ b/products/rhel8/profiles/stig.profile
76240a
@@ -503,6 +503,7 @@ selections:
76240a
     # RHEL-08-020080
76240a
 
76240a
     # RHEL-08-020090
76240a
+    - sssd_enable_certmap
76240a
 
76240a
     # RHEL-08-020100
76240a
     - accounts_password_pam_retry
76240a
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
76240a
index 73d025484e..e80557f033 100644
76240a
--- a/shared/references/cce-redhat-avail.txt
76240a
+++ b/shared/references/cce-redhat-avail.txt
76240a
@@ -186,7 +186,6 @@ CCE-86056-9
76240a
 CCE-86057-7
76240a
 CCE-86058-5
76240a
 CCE-86059-3
76240a
-CCE-86060-1
76240a
 CCE-86061-9
76240a
 CCE-86062-7
76240a
 CCE-86063-5
76240a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
76240a
index 236e595604..bffa509b69 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig.profile
76240a
@@ -275,6 +275,7 @@ selections:
76240a
 - sshd_set_keepalive_0
76240a
 - sshd_use_strong_rng
76240a
 - sshd_x11_use_localhost
76240a
+- sssd_enable_certmap
76240a
 - sssd_enable_smartcards
76240a
 - sssd_offline_cred_expiration
76240a
 - sudo_remove_no_authenticate
76240a
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
index 9973b5adef..c84ac75c7b 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
@@ -286,6 +286,7 @@ selections:
76240a
 - sshd_set_keepalive_0
76240a
 - sshd_use_strong_rng
76240a
 - sshd_x11_use_localhost
76240a
+- sssd_enable_certmap
76240a
 - sssd_enable_smartcards
76240a
 - sssd_offline_cred_expiration
76240a
 - sudo_remove_no_authenticate