|
|
76240a |
From 6eeef4054d707b8b255e9fa600c4c7babffbf5f7 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Matthew Burket <mburket@redhat.com>
|
|
|
76240a |
Date: Mon, 2 Aug 2021 08:37:04 -0500
|
|
|
76240a |
Subject: [PATCH] Add rule for RHEL-08-020090
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../sssd/sssd_enable_certmap/rule.yml | 58 +++++++++++++++++++
|
|
|
76240a |
.../sssd_enable_certmap/tests/default.fail.sh | 4 ++
|
|
|
76240a |
.../tests/with_section.pass.sh | 7 +++
|
|
|
76240a |
products/rhel8/profiles/stig.profile | 1 +
|
|
|
76240a |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
76240a |
.../data/profile_stability/rhel8/stig.profile | 1 +
|
|
|
76240a |
.../profile_stability/rhel8/stig_gui.profile | 1 +
|
|
|
76240a |
7 files changed, 72 insertions(+), 1 deletion(-)
|
|
|
76240a |
create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml
|
|
|
76240a |
create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh
|
|
|
76240a |
create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh
|
|
|
76240a |
|
|
|
76240a |
diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 0000000000..0614a2f4a0
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml
|
|
|
76240a |
@@ -0,0 +1,58 @@
|
|
|
76240a |
+documentation_complete: true
|
|
|
76240a |
+
|
|
|
76240a |
+prodtype: fedora,rhel8
|
|
|
76240a |
+
|
|
|
76240a |
+title: 'Enable Certmap in SSSD'
|
|
|
76240a |
+
|
|
|
76240a |
+description: |-
|
|
|
76240a |
+ SSSD should be configured to verify the certificate of the user or group. To set this up
|
|
|
76240a |
+ ensure that section like <tt>certmap/testing.test/rule_name</tt> is setup in
|
|
|
76240a |
+ <tt>/etc/sssd/sssd.conf</tt>. For example
|
|
|
76240a |
+
|
|
|
76240a |
+ [certmap/testing.test/rule_name]
|
|
|
76240a |
+ matchrule =<SAN>.*EDIPI@mil
|
|
|
76240a |
+ maprule = (userCertificate;binary={cert!bin})
|
|
|
76240a |
+ domains = testing.test
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+rationale: |-
|
|
|
76240a |
+ Without mapping the certificate used to authenticate to the user account, the ability to
|
|
|
76240a |
+ determine the identity of the individual user or group will not be available for forensic
|
|
|
76240a |
+ analysis.
|
|
|
76240a |
+
|
|
|
76240a |
+severity: medium
|
|
|
76240a |
+
|
|
|
76240a |
+identifiers:
|
|
|
76240a |
+ cce@rhel8: CCE-86060-1
|
|
|
76240a |
+
|
|
|
76240a |
+references:
|
|
|
76240a |
+ disa: CCI-000187
|
|
|
76240a |
+ nist: IA-5 (2) (c)
|
|
|
76240a |
+ stigid@rhel8: RHEL-08-020090
|
|
|
76240a |
+
|
|
|
76240a |
+warnings:
|
|
|
76240a |
+ - general: |-
|
|
|
76240a |
+ Automatic remediation of this control is not available, since all of the settings in
|
|
|
76240a |
+ in the certmap need to be customized.
|
|
|
76240a |
+
|
|
|
76240a |
+ocil_clause: 'Certmap is not configured in SSSD'
|
|
|
76240a |
+
|
|
|
76240a |
+ocil: |-
|
|
|
76240a |
+ To verify Certmap is enabled in SSSD, run the following command:
|
|
|
76240a |
+ $ cat sudo cat /etc/sssd/sssd.conf
|
|
|
76240a |
+ If configured properly, output should contain section like the following
|
|
|
76240a |
+
|
|
|
76240a |
+ [certmap/testing.test/rule_name]
|
|
|
76240a |
+ matchrule =<SAN>.*EDIPI@mil
|
|
|
76240a |
+ maprule = (userCertificate;binary={cert!bin})
|
|
|
76240a |
+ domains = testing.test
|
|
|
76240a |
+
|
|
|
76240a |
+
|
|
|
76240a |
+template:
|
|
|
76240a |
+ name: lineinfile
|
|
|
76240a |
+ vars:
|
|
|
76240a |
+ path: '/etc/sssd/sssd.conf'
|
|
|
76240a |
+ text: '^\[certmap\/.+\/.+\]$'
|
|
|
76240a |
+ backends:
|
|
|
76240a |
+ ansible: "off"
|
|
|
76240a |
+ bash: "off"
|
|
|
76240a |
diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 0000000000..1e31c0da19
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh
|
|
|
76240a |
@@ -0,0 +1,4 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+
|
|
|
76240a |
+touch /etc/sssd/sssd.conf
|
|
|
76240a |
+sed -i "s/\[certmap.*//g" /etc/sssd/sssd.conf
|
|
|
76240a |
diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 0000000000..911e095f5d
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh
|
|
|
76240a |
@@ -0,0 +1,7 @@
|
|
|
76240a |
+#!/bin/bash
|
|
|
76240a |
+cat >> /etc/sssd/sssd.conf<< EOF
|
|
|
76240a |
+[certmap/testing.test/rule_name]
|
|
|
76240a |
+matchrule =<SAN>.*EDIPI@mil
|
|
|
76240a |
+maprule = (userCertificate;binary={cert!bin})
|
|
|
76240a |
+domains = testing.test
|
|
|
76240a |
+EOF
|
|
|
76240a |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
index f17a7b88b1..ec0a3b1753 100644
|
|
|
76240a |
--- a/products/rhel8/profiles/stig.profile
|
|
|
76240a |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
@@ -503,6 +503,7 @@ selections:
|
|
|
76240a |
# RHEL-08-020080
|
|
|
76240a |
|
|
|
76240a |
# RHEL-08-020090
|
|
|
76240a |
+ - sssd_enable_certmap
|
|
|
76240a |
|
|
|
76240a |
# RHEL-08-020100
|
|
|
76240a |
- accounts_password_pam_retry
|
|
|
76240a |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
index 73d025484e..e80557f033 100644
|
|
|
76240a |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
@@ -186,7 +186,6 @@ CCE-86056-9
|
|
|
76240a |
CCE-86057-7
|
|
|
76240a |
CCE-86058-5
|
|
|
76240a |
CCE-86059-3
|
|
|
76240a |
-CCE-86060-1
|
|
|
76240a |
CCE-86061-9
|
|
|
76240a |
CCE-86062-7
|
|
|
76240a |
CCE-86063-5
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
index 236e595604..bffa509b69 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
@@ -275,6 +275,7 @@ selections:
|
|
|
76240a |
- sshd_set_keepalive_0
|
|
|
76240a |
- sshd_use_strong_rng
|
|
|
76240a |
- sshd_x11_use_localhost
|
|
|
76240a |
+- sssd_enable_certmap
|
|
|
76240a |
- sssd_enable_smartcards
|
|
|
76240a |
- sssd_offline_cred_expiration
|
|
|
76240a |
- sudo_remove_no_authenticate
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
index 9973b5adef..c84ac75c7b 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
@@ -286,6 +286,7 @@ selections:
|
|
|
76240a |
- sshd_set_keepalive_0
|
|
|
76240a |
- sshd_use_strong_rng
|
|
|
76240a |
- sshd_x11_use_localhost
|
|
|
76240a |
+- sssd_enable_certmap
|
|
|
76240a |
- sssd_enable_smartcards
|
|
|
76240a |
- sssd_offline_cred_expiration
|
|
|
76240a |
- sudo_remove_no_authenticate
|