From f027c56e45e703663c25dea18f78111d5d8a7e0f Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 19 Aug 2021 11:16:08 -0500
Subject: [PATCH] Added rule for RHEL-08-010400
---
.../ansible/shared.yml | 27 +++++++++++++
.../bash/shared.sh | 33 +++++++++++++++
.../oval/shared.xml | 30 ++++++++++++++
.../sssd_certificate_verification/rule.yml | 40 +++++++++++++++++++
.../tests/correct_value.pass.sh | 6 +++
.../tests/correct_with_others_before.pass.sh | 6 +++
.../tests/not_configured.fail.sh | 5 +++
.../tests/partial_config.fail.sh | 6 +++
.../tests/wrong_section.fail.sh | 6 +++
.../tests/wrong_value.fail.sh | 6 +++
...rtificate_verification_digest_function.var | 20 ++++++++++
products/rhel8/profiles/stig.profile | 2 +
shared/references/cce-redhat-avail.txt | 1 -
.../data/profile_stability/rhel8/stig.profile | 4 +-
.../profile_stability/rhel8/stig_gui.profile | 4 +-
15 files changed, 193 insertions(+), 3 deletions(-)
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
create mode 100644 linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
create mode 100644 linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
new file mode 100644
index 00000000000..8e36f0974fd
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/ansible/shared.yml
@@ -0,0 +1,27 @@
+# platform = multi_platform_fedora,multi_platform_rhel
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
+ ini_file:
+ path: /etc/sssd/sssd.conf
+ section: sssd
+ option: certificate_verification
+ state: absent
+
+- name: 'Ensure that "certificate_verification" is not set in /etc/sssd/conf.d/*.conf'
+ ini_file:
+ path: /etc/sssd/conf.d/*.conf
+ section: sssd
+ option: certificate_verification
+ state: absent
+
+- name: Ensure that "certificate_verification" is set
+ ini_file:
+ path: /etc/sssd/conf.d/certificate_verification.conf
+ section: sssd
+ option: certificate_verification
+ value: "ocsp_dgst = sha1"
+ state: present
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
new file mode 100644
index 00000000000..8f9e5514480
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/bash/shared.sh
@@ -0,0 +1,33 @@
+# platform = multi_platform_rhel,multi_platform_fedora
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = medium
+
+# include our remediation functions library
+. /usr/share/scap-security-guide/remediation_functions
+
+{{{ bash_instantiate_variables("var_sssd_certificate_verification_digest_function") }}}
+
+found=false
+for f in /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf; do
+ if [ ! -e "$f" ]; then
+ continue
+ fi
+ cert=$( awk '/^\s*\[/{f=0} /^\s*\[sssd\]/{f=1} f{nu=gensub("^\\s*certificate_verification\\s*=\\s*ocsp_dgst\\s*=\\s*(\\w+).*","\\1",1); if($0!=nu){cert=nu}} END{print cert}' "$f" )
+ if [ -n "$cert" ] ; then
+ if [ "$cert" != $var_sssd_certificate_verification_digest_function ] ; then
+ sed -i "s/^certificate_verification\s*=.*/certificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function/" "$f"
+ fi
+ found=true
+ fi
+done
+
+if ! $found ; then
+ SSSD_CONF="/etc/sssd/conf.d/certificate_verification.conf"
+ mkdir -p $( dirname $SSSD_CONF )
+ touch $SSSD_CONF
+ chown root:root $SSSD_CONF
+ chmod 600 $SSSD_CONF
+ echo -e "[sssd]\ncertificate_verification = ocsp_dgst = $var_sssd_certificate_verification_digest_function" >> $SSSD_CONF
+fi
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
new file mode 100644
index 00000000000..77736f54f03
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/oval/shared.xml
@@ -0,0 +1,30 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("SSSD should be configured with the correct ocsp_dgst
+ digest function") }}}
+ <criteria>
+ <criterion comment="check value of certificate_verification in sssd configuration"
+ test_ref="test_{{{rule_id}}}" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="test the value of
+ certificate_verification in sssd configuration" id="test_{{{rule_id}}}" version="1">
+ <ind:object object_ref="obj_{{{rule_id}}}" />
+ <ind:state state_ref="state_{{{rule_id}}}" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="obj_{{{rule_id}}}" version="1">
+ <ind:filepath operation="pattern match">^/etc/sssd/(sssd|conf\.d/.*)\.conf$</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*\[sssd](?:[^\n\[]*\n+)+?[\s]*certificate_verification\s*=\s*ocsp_dgst\s*=\s*(\w+)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_state comment="value of certificate_verification" id="state_{{{rule_id}}}" version="1">
+ <ind:subexpression operation="equals" var_check="all"
+ var_ref="var_sssd_certificate_verification_digest_function" />
+ </ind:textfilecontent54_state>
+
+ <external_variable comment="certificate_verification value" datatype="string"
+ id="var_sssd_certificate_verification_digest_function" version="1" />
+</def-group>
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
new file mode 100644
index 00000000000..182e75a2aab
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: fedora,rhel8
+
+title: 'Certificate certificate status checking in SSSD'
+
+description: |-
+ Multifactor solutions that require devices separate from information systems gaining access include,
+ for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.
+ By configuring <tt>certificate_verification</tt> to <tt>ocsp_dgst=sha1</tt> sures that certificates for
+ multifactor solutions are checked via Online Certificate Status Protocol (OCSP).
+
+rationale: |-
+ Enusring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
+ ensures the security of the system.
+
+severity: medium
+
+identifiers:
+ cce@rhel8: CCE-86120-3
+
+references:
+ disa: CCI-001948
+ nist: IA-2(11)
+ srg: SRG-OS-000375-GPOS-00160,SRG-OS-000377-GPOS-00162
+ stigid@rhel8: RHEL-08-010400
+
+
+ocil_clause: 'certificate_verification in sssd is not configured'
+
+ocil: |-
+ Check to see if Online Certificate Status Protocol (OCSP)
+ is enabled and using the proper digest value on the system with the following command:
+ <pre>$ sudo grep certificate_verification /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf | grep -v "^#"</pre>
+ If configured properly, output should look like
+ <pre>
+ certificate_verification = ocsp_dgst=sha1
+ </pre>
+ The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:
+ <pre>$ sudo systemctl restart sssd.service</pre>
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
new file mode 100644
index 00000000000..24c19f44fdc
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_value.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
new file mode 100644
index 00000000000..982450fc81b
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/correct_with_others_before.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ndifferent_option = test\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
new file mode 100644
index 00000000000..ed011f9d4bc
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/not_configured.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
new file mode 100644
index 00000000000..3c7c468b9d5
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/partial_config.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
new file mode 100644
index 00000000000..635ca4bebcc
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_section.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[ssd]\ncertificate_verification = ocsp_dgst=sha1" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..93f363edc04
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd_certificate_verification/tests/wrong_value.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = sssd-common
+
+mkdir -p /etc/sssd/conf.d
+touch /etc/sssd/sssd.conf
+echo -e "[sssd]\ncertificate_verification = ocsp_dgst=sha256" >> /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
new file mode 100644
index 00000000000..cdbd0a13576
--- /dev/null
+++ b/linux_os/guide/services/sssd/var_sssd_certificate_verification_digest_function.var
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'SSSD certificate_verification option'
+
+description: |-
+ Value of the certificate_verification option in
+ the SSSD config.
+
+type: string
+
+operator: equals
+
+interactive: true
+
+options:
+ sha1: sha1
+ sha256: sha256
+ sha384: sha384
+ sha512: sha512
+ default: sha1
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 9dc9360e899..5b1f709faaf 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -70,6 +70,7 @@ selections:
- var_auditd_disk_error_action=halt
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=halt
+ - var_sssd_certificate_verification_digest_function=sha1
### Enable / Configure FIPS
- enable_fips_mode
@@ -275,6 +276,7 @@ selections:
- install_smartcard_packages
# RHEL-08-010400
+ - sssd_certificate_verification
# RHEL-08-010410
- package_opensc_installed
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 3b24e19da06..81f94f7dbca 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -236,7 +236,6 @@ CCE-86116-1
CCE-86117-9
CCE-86118-7
CCE-86119-5
-CCE-86120-3
CCE-86121-1
CCE-86122-9
CCE-86123-7
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index e9ba0f0adbf..baef93bba64 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -342,6 +342,7 @@ selections:
- sshd_set_keepalive_0
- sshd_use_strong_rng
- sshd_x11_use_localhost
+- sssd_certificate_verification
- sssd_enable_certmap
- sssd_enable_smartcards
- sssd_offline_cred_expiration
@@ -410,6 +411,7 @@ selections:
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
+- var_accounts_authorized_local_users_regex=rhel8
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
- var_accounts_passwords_pam_faillock_unlock_time=never
@@ -425,7 +427,7 @@ selections:
- var_auditd_disk_error_action=halt
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=halt
-- var_accounts_authorized_local_users_regex=rhel8
+- var_sssd_certificate_verification_digest_function=sha1
- var_system_crypto_policy=fips
- var_sudo_timestamp_timeout=always_prompt
title: DISA STIG for Red Hat Enterprise Linux 8
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index c8540f9392e..237f66c721f 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -353,6 +353,7 @@ selections:
- sshd_set_keepalive_0
- sshd_use_strong_rng
- sshd_x11_use_localhost
+- sssd_certificate_verification
- sssd_enable_certmap
- sssd_enable_smartcards
- sssd_offline_cred_expiration
@@ -420,6 +421,7 @@ selections:
- sshd_approved_macs=stig
- sshd_approved_ciphers=stig
- sshd_idle_timeout_value=10_minutes
+- var_accounts_authorized_local_users_regex=rhel8
- var_accounts_passwords_pam_faillock_deny=3
- var_accounts_passwords_pam_faillock_fail_interval=900
- var_accounts_passwords_pam_faillock_unlock_time=never
@@ -435,7 +437,7 @@ selections:
- var_auditd_disk_error_action=halt
- var_auditd_max_log_file_action=syslog
- var_auditd_disk_full_action=halt
-- var_accounts_authorized_local_users_regex=rhel8
+- var_sssd_certificate_verification_digest_function=sha1
- var_system_crypto_policy=fips
- var_sudo_timestamp_timeout=always_prompt
title: DISA STIG with GUI for Red Hat Enterprise Linux 8