Blob Blame History Raw
From f027c56e45e703663c25dea18f78111d5d8a7e0f Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 19 Aug 2021 11:16:08 -0500
Subject: [PATCH] Added rule for RHEL-08-010400

---
 .../ansible/shared.yml                        | 27 +++++++++++++
 .../bash/shared.sh                            | 33 +++++++++++++++
 .../oval/shared.xml                           | 30 ++++++++++++++
 .../sssd_certificate_verification/rule.yml    | 40 +++++++++++++++++++
 .../tests/correct_value.pass.sh               |  6 +++
 .../tests/correct_with_others_before.pass.sh  |  6 +++
 .../tests/not_configured.fail.sh              |  5 +++
 .../tests/partial_config.fail.sh              |  6 +++
 .../tests/wrong_section.fail.sh               |  6 +++
 .../tests/wrong_value.fail.sh                 |  6 +++
 ...rtificate_verification_digest_function.var | 20 ++++++++++
 products/rhel8/profiles/stig.profile          |  2 +
 shared/references/cce-redhat-avail.txt        |  1 -
 .../data/profile_stability/rhel8/stig.profile |  4 +-
 .../profile_stability/rhel8/stig_gui.profile  |  4 +-
 15 files changed, 193 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
 create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
 create mode 100644 linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var

diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
new file mode 100644
index 00000000000..8e36f0974fd
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
@@ -0,0 +1,27 @@
+# platform = multi_platform_fedora,multi_platform_rhel
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
+  ini_file:
+      path: /etc/sssd/sssd.conf
+      section: sssd
+      option: certificate_verification
+      state: absent
+
+- name: 'Ensure that "certificate_verification" is not set in  /etc/sssd/conf.d/*.conf'
+  ini_file:
+      path: /etc/sssd/conf.d/*.conf
+      section: sssd
+      option: certificate_verification
+      state: absent
+
+- name: Ensure that "certificate_verification" is set
+  ini_file:
+      path: /etc/sssd/conf.d/certificate_verification.conf
+      section: sssd
+      option: certificate_verification
+      value: "ocsp_dgst = sha1"
+      state: present
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
new file mode 100644
index 00000000000..8f9e5514480
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
@@ -0,0 +1,33 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+# include our remediation functions library
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_instantiate_variables("var_sssd_certificate_verification_digest_function") }}}
+
+found=false
+for f in /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf; do
+	if [ ! -e "$f" ]; then
+		continue
+	fi
+	cert=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1} f{nu=gensub("^\\s*certificate_verification\\s*=\\s*ocsp_dgst\\s*=\\s*(\\w+).*","\\1",1); if($0!=nu){cert=nu}} END{print cert}' "$f" )
+	if [ -n "$cert" ] ; then
+		if [ "$cert" != $var_sssd_certificate_verification_digest_function ] ; then
+			sed -i "s/^certificate_verification\s*=.*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f"
+		fi
+		found=true
+	fi
+done
+
+if ! $found ; then
+	SSSD_CONF="/etc/sssd/conf.d/certificate_verification.conf"
+	mkdir -p $( dirname $SSSD_CONF )
+	touch $SSSD_CONF
+	chown root:root $SSSD_CONF
+	chmod 600 $SSSD_CONF
+	echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> $SSSD_CONF
+fi
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
new file mode 100644
index 00000000000..77736f54f03
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
@@ -0,0 +1,30 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+           {{{ oval_metadata("SSSD should be configured with the correct ocsp_dgst
+            digest function") }}}
+        <criteria>
+            <criterion comment="check value of certificate_verification in sssd configuration"
+                       test_ref="test_{{{rule_id}}}" />
+        </criteria>
+    </definition>
+
+    <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="test the value of
+        certificate_verification in sssd configuration" id="test_{{{rule_id}}}" version="1">
+        <ind:object object_ref="obj_{{{rule_id}}}" />
+        <ind:state state_ref="state_{{{rule_id}}}" />
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_object id="obj_{{{rule_id}}}" version="1">
+        <ind:filepath operation="pattern match">^/etc/sssd/(sssd|conf\.d/.*)\.conf$</ind:filepath>
+        <ind:pattern operation="pattern match">^[\s]*\[sssd](?:[^\n\[]*\n+)+?[\s]*certificate_verification\s*=\s*ocsp_dgst\s*=\s*(\w+)$</ind:pattern>
+        <ind:instance datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+
+    <ind:textfilecontent54_state comment="value of certificate_verification" id="state_{{{rule_id}}}" version="1">
+        <ind:subexpression operation="equals" var_check="all"
+                           var_ref="var_sssd_certificate_verification_digest_function" />
+    </ind:textfilecontent54_state>
+
+    <external_variable comment="certificate_verification value" datatype="string"
+                       id="var_sssd_certificate_verification_digest_function" version="1" />
+</def-group>
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
new file mode 100644
index 00000000000..182e75a2aab
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Certificate certificate status checking in SSSD'
+
+description: |-
+    Multifactor solutions that require devices separate from information systems gaining access include,
+    for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.
+    By configuring <tt>certificate_verification</tt> to <tt>ocsp_dgst=sha1</tt> sures that certificates for
+    multifactor solutions are checked via Online Certificate Status Protocol (OCSP).
+
+rationale: |-
+    Enusring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
+    ensures the security of the system.
+
+severity: medium
+
+identifiers:
+   cce@rhel8: CCE-86120-3
+
+references:
+    disa: CCI-001948
+    nist: IA-2(11)
+    srg: SRG-OS-000375-GPOS-00160,SRG-OS-000377-GPOS-00162
+    stigid@rhel8: RHEL-08-010400
+
+
+ocil_clause: 'certificate_verification in sssd is not configured'
+
+ocil: |-
+    Check to see if Online Certificate Status Protocol (OCSP)
+    is enabled and using the proper digest value on the system with the following command:
+    <pre>$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#"</pre>
+    If configured properly, output should look like
+    <pre>
+        certificate_verification = ocsp_dgst=sha1
+    </pre>
+    The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
+    <pre>$ sudo systemctl restart sssd.service</pre>
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
new file mode 100644
index 00000000000..24c19f44fdc
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
new file mode 100644
index 00000000000..982450fc81b
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ndifferent_option = test\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
new file mode 100644
index 00000000000..ed011f9d4bc
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
new file mode 100644
index 00000000000..3c7c468b9d5
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
new file mode 100644
index 00000000000..635ca4bebcc
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[ssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..93f363edc04
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha256" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
new file mode 100644
index 00000000000..cdbd0a13576
--- /dev/null
+++ b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'SSSD certificate_verification option'
+
+description: |-
+    Value of the certificate_verification option in
+    the SSSD config.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+    sha1: sha1
+    sha256: sha256
+    sha384: sha384
+    sha512: sha512
+    default: sha1
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 9dc9360e899..5b1f709faaf 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -70,6 +70,7 @@ selections:
     - var_auditd_disk_error_action=halt
     - var_auditd_max_log_file_action=syslog
     - var_auditd_disk_full_action=halt
+    - var_sssd_certificate_verification_digest_function=sha1
 
     ### Enable / Configure FIPS
     - enable_fips_mode
@@ -275,6 +276,7 @@ selections:
     - install_smartcard_packages
 
     # RHEL-08-010400
+    - sssd_certificate_verification
 
     # RHEL-08-010410
     - package_opensc_installed
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 3b24e19da06..81f94f7dbca 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -236,7 +236,6 @@ CCE-86116-1
 CCE-86117-9
 CCE-86118-7
 CCE-86119-5
-CCE-86120-3
 CCE-86121-1
 CCE-86122-9
 CCE-86123-7
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index e9ba0f0adbf..baef93bba64 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -342,6 +342,7 @@ selections:
 - sshd_set_keepalive_0
 - sshd_use_strong_rng
 - sshd_x11_use_localhost
+- sssd_certificate_verification
 - sssd_enable_certmap
 - sssd_enable_smartcards
 - sssd_offline_cred_expiration
@@ -410,6 +411,7 @@ selections:
 - sshd_approved_macs=stig
 - sshd_approved_ciphers=stig
 - sshd_idle_timeout_value=10_minutes
+- var_accounts_authorized_local_users_regex=rhel8
 - var_accounts_passwords_pam_faillock_deny=3
 - var_accounts_passwords_pam_faillock_fail_interval=900
 - var_accounts_passwords_pam_faillock_unlock_time=never
@@ -425,7 +427,7 @@ selections:
 - var_auditd_disk_error_action=halt
 - var_auditd_max_log_file_action=syslog
 - var_auditd_disk_full_action=halt
-- var_accounts_authorized_local_users_regex=rhel8
+- var_sssd_certificate_verification_digest_function=sha1
 - var_system_crypto_policy=fips
 - var_sudo_timestamp_timeout=always_prompt
 title: DISA STIG for Red Hat Enterprise Linux 8
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index c8540f9392e..237f66c721f 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -353,6 +353,7 @@ selections:
 - sshd_set_keepalive_0
 - sshd_use_strong_rng
 - sshd_x11_use_localhost
+- sssd_certificate_verification
 - sssd_enable_certmap
 - sssd_enable_smartcards
 - sssd_offline_cred_expiration
@@ -420,6 +421,7 @@ selections:
 - sshd_approved_macs=stig
 - sshd_approved_ciphers=stig
 - sshd_idle_timeout_value=10_minutes
+- var_accounts_authorized_local_users_regex=rhel8
 - var_accounts_passwords_pam_faillock_deny=3
 - var_accounts_passwords_pam_faillock_fail_interval=900
 - var_accounts_passwords_pam_faillock_unlock_time=never
@@ -435,7 +437,7 @@ selections:
 - var_auditd_disk_error_action=halt
 - var_auditd_max_log_file_action=syslog
 - var_auditd_disk_full_action=halt
-- var_accounts_authorized_local_users_regex=rhel8
+- var_sssd_certificate_verification_digest_function=sha1
 - var_system_crypto_policy=fips
 - var_sudo_timestamp_timeout=always_prompt
 title: DISA STIG with GUI for Red Hat Enterprise Linux 8