From 6eeef4054d707b8b255e9fa600c4c7babffbf5f7 Mon Sep 17 00:00:00 2001 From: Matthew Burket Date: Mon, 2 Aug 2021 08:37:04 -0500 Subject: [PATCH] Add rule for RHEL-08-020090 --- .../sssd/sssd_enable_certmap/rule.yml | 58 +++++++++++++++++++ .../sssd_enable_certmap/tests/default.fail.sh | 4 ++ .../tests/with_section.pass.sh | 7 +++ products/rhel8/profiles/stig.profile | 1 + shared/references/cce-redhat-avail.txt | 1 - .../data/profile_stability/rhel8/stig.profile | 1 + .../profile_stability/rhel8/stig_gui.profile | 1 + 7 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml new file mode 100644 index 0000000000..0614a2f4a0 --- /dev/null +++ b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml @@ -0,0 +1,58 @@ +documentation_complete: true + +prodtype: fedora,rhel8 + +title: 'Enable Certmap in SSSD' + +description: |- + SSSD should be configured to verify the certificate of the user or group. To set this up + ensure that section like certmap/testing.test/rule_name is setup in + /etc/sssd/sssd.conf. For example +
+   [certmap/testing.test/rule_name]
+   matchrule =<SAN>.*EDIPI@mil
+   maprule = (userCertificate;binary={cert!bin})
+   domains = testing.test
+   
+ +rationale: |- + Without mapping the certificate used to authenticate to the user account, the ability to + determine the identity of the individual user or group will not be available for forensic + analysis. + +severity: medium + +identifiers: + cce@rhel8: CCE-86060-1 + +references: + disa: CCI-000187 + nist: IA-5 (2) (c) + stigid@rhel8: RHEL-08-020090 + +warnings: + - general: |- + Automatic remediation of this control is not available, since all of the settings in + in the certmap need to be customized. + +ocil_clause: 'Certmap is not configured in SSSD' + +ocil: |- + To verify Certmap is enabled in SSSD, run the following command: +
$ cat sudo cat /etc/sssd/sssd.conf
+ If configured properly, output should contain section like the following +
+    [certmap/testing.test/rule_name]
+    matchrule =<SAN>.*EDIPI@mil
+    maprule = (userCertificate;binary={cert!bin})
+    domains = testing.test
+    
+ +template: + name: lineinfile + vars: + path: '/etc/sssd/sssd.conf' + text: '^\[certmap\/.+\/.+\]$' + backends: + ansible: "off" + bash: "off" diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh new file mode 100644 index 0000000000..1e31c0da19 --- /dev/null +++ b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +touch /etc/sssd/sssd.conf +sed -i "s/\[certmap.*//g" /etc/sssd/sssd.conf diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh new file mode 100644 index 0000000000..911e095f5d --- /dev/null +++ b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +cat >> /etc/sssd/sssd.conf<< EOF +[certmap/testing.test/rule_name] +matchrule =.*EDIPI@mil +maprule = (userCertificate;binary={cert!bin}) +domains = testing.test +EOF diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index f17a7b88b1..ec0a3b1753 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -503,6 +503,7 @@ selections: # RHEL-08-020080 # RHEL-08-020090 + - sssd_enable_certmap # RHEL-08-020100 - accounts_password_pam_retry diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 73d025484e..e80557f033 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -186,7 +186,6 @@ CCE-86056-9 CCE-86057-7 CCE-86058-5 CCE-86059-3 -CCE-86060-1 CCE-86061-9 CCE-86062-7 CCE-86063-5 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 236e595604..bffa509b69 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -275,6 +275,7 @@ selections: - sshd_set_keepalive_0 - sshd_use_strong_rng - sshd_x11_use_localhost +- sssd_enable_certmap - sssd_enable_smartcards - sssd_offline_cred_expiration - sudo_remove_no_authenticate diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 9973b5adef..c84ac75c7b 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -286,6 +286,7 @@ selections: - sshd_set_keepalive_0 - sshd_use_strong_rng - sshd_x11_use_localhost +- sssd_enable_certmap - sssd_enable_smartcards - sssd_offline_cred_expiration - sudo_remove_no_authenticate