From a89f73985d5d92acc75229004bafdc931f5ed750 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 3 Sep 2020 18:09:53 +0200 Subject: [PATCH 1/2] Introduce new rule sssd_ldap_configure_tls_reqcert. --- .../ansible/shared.yml | 6 +++ .../bash/shared.sh | 6 +++ .../oval/shared.xml | 24 ++++++++++++ .../sssd_ldap_configure_tls_reqcert/rule.yml | 39 +++++++++++++++++++ ...rovider_and_reqcert_never.notapplicable.sh | 7 ++++ .../tests/correct_value.pass.sh | 5 +++ .../id_provider_is_set_to_ad.notapplicable.sh | 6 +++ ...ldap_id_provider_and_reqcert_never.fail.sh | 6 +++ .../tests/ldap_tls_reqcert_not_there.fail.sh | 6 +++ rhel7/profiles/stig.profile | 1 + shared/references/cce-redhat-avail.txt | 2 - tests/shared/sssd.conf | 1 + 12 files changed, 107 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh create mode 100644 linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml new file mode 100644 index 0000000000..891b3e2f97 --- /dev/null +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/ansible/shared.yml @@ -0,0 +1,6 @@ +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol +# reboot = false +# strategy = unknown +# complexity = low +# disruption = medium +{{{ ansible_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand") }}} diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh new file mode 100644 index 0000000000..62c2febc46 --- /dev/null +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/bash/shared.sh @@ -0,0 +1,6 @@ +# platform = multi_platform_wrlinux,multi_platform_rhel,multi_platform_fedora,multi_platform_ol + +# Include source function library. +. /usr/share/scap-security-guide/remediation_functions + +{{{ bash_sssd_ldap_config(parameter="ldap_tls_reqcert", value="demand") }}} diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml new file mode 100644 index 0000000000..9d3db0488f --- /dev/null +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml @@ -0,0 +1,24 @@ + + + + Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server + {{{- oval_affected(products) }}} + Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions. + + + + + + + + + + + + /etc/sssd/sssd.conf + ^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_tls_reqcert[ \t]*=[ \t]*((?i)demand)[ \t]*$ + 1 + + diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml new file mode 100644 index 0000000000..4dee11bcfb --- /dev/null +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml @@ -0,0 +1,39 @@ +documentation_complete: true + +prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019 + +title: 'Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server' + +description: |- + Configure SSSD to demand a valid certificate from the server to + protect the integrity of LDAP remote access sessions. By setting + the
ldap_tls_reqcert
option in
/etc/sssd/sssd.conf
+ to demand. + +rationale: |- + Without a valid certificate presented to the LDAP client backend, the identity of a + server can be forged compromising LDAP remote access sessions. + +severity: medium + +identifiers: + cce@rhel7: CCE-84061-1 + cce@rhel8: CCE-84062-9 + +references: + stigid@ol7: OL07-00-040190 + disa: CCI-001453 + nist: SC-12(3),CM-6(a) + srg: SRG-OS-000250-GPOS-00093 + stigid@rhel7: RHEL-07-040190 + +ocil_clause: 'the TLS reqcert is not set to demand' + +ocil: |- + To verify the LDAP client backend demands a valid certificate from the server in + remote ldap access sessions, run the following command: +
$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf
+ The output should return the following: +
ldap_tls_reqcert = demand
+ +platform: sssd-ldap diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh new file mode 100644 index 0000000000..3b82743f8d --- /dev/null +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +. $SHARED/setup_config_files.sh +setup_correct_sssd_config +sed -i 's/ldap_tls_reqcert = demand/ldap_id_use_start_tls = never/' /etc/sssd/sssd.conf +sed -i 's/id_provider = ldap/id_provider = ad/' /etc/sssd/sssd.conf diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh new file mode 100644 index 0000000000..82bff74acf --- /dev/null +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +. $SHARED/setup_config_files.sh +setup_correct_sssd_config diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh new file mode 100644 index 0000000000..21f3af4c96 --- /dev/null +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +. $SHARED/setup_config_files.sh +setup_correct_sssd_config +sed -i 's/id_provider = ldap/id_provider = ad/' /etc/sssd/sssd.conf diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh new file mode 100644 index 0000000000..0fe620475e --- /dev/null +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +. $SHARED/setup_config_files.sh +setup_correct_sssd_config +sed -i 's/ldap_tls_reqcert = demand/ldap_id_use_start_tls = never/' /etc/sssd/sssd.conf diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh new file mode 100644 index 0000000000..0e01fafb6f --- /dev/null +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +. $SHARED/setup_config_files.sh +setup_correct_sssd_config +sed -i '/ldap_tls_reqcert/d' /etc/sssd/sssd.conf diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile index b820d30608..1b41b85857 100644 --- a/rhel7/profiles/stig.profile +++ b/rhel7/profiles/stig.profile @@ -236,6 +236,7 @@ selections: - sssd_ldap_start_tls.severity=medium - sssd_ldap_configure_tls_ca_dir - sssd_ldap_configure_tls_ca + - sssd_ldap_configure_tls_reqcert - sysctl_kernel_randomize_va_space - package_openssh-server_installed - sshd_required=yes diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 4609b82680..7ab5eb179e 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -650,8 +650,6 @@ CCE-84057-9 CCE-84058-7 CCE-84059-5 CCE-84060-3 -CCE-84061-1 -CCE-84062-9 CCE-84063-7 CCE-84064-5 CCE-84065-2 diff --git a/tests/shared/sssd.conf b/tests/shared/sssd.conf index dc51456425..6903a25d37 100644 --- a/tests/shared/sssd.conf +++ b/tests/shared/sssd.conf @@ -9,6 +9,7 @@ ldap_search_base = dc=com ldap_tls_cacertdir = /etc/openldap/cacerts cache_credentials = True krb5_store_password_if_offline = True +ldap_tls_reqcert = demand [sssd] From daf742ec9dad984e17e8a99bd7793bc9f44a32c4 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 21 Sep 2020 17:24:08 +0200 Subject: [PATCH 2/2] Use oval_metadata macro and update text of rule sssd_ldap_configure_tls_reqcert. --- .../sssd_ldap_configure_tls_reqcert/oval/shared.xml | 7 ++----- .../sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml index 9d3db0488f..688cf17abb 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml @@ -1,10 +1,7 @@ - - Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server - {{{- oval_affected(products) }}} - Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions. - + {{{ oval_metadata("Configure SSSD to request a valid certificate from the server to protect LDAP remote access sessions.", + title="Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server") }}} diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml index 4dee11bcfb..731b7c0846 100644 --- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml +++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/rule.yml @@ -6,7 +6,7 @@ title: 'Configure SSSD LDAP Backend Client to Demand a Valid Certificate from th description: |- Configure SSSD to demand a valid certificate from the server to - protect the integrity of LDAP remote access sessions. By setting + protect the integrity of LDAP remote access sessions by setting the
ldap_tls_reqcert
option in
/etc/sssd/sssd.conf
to demand. @@ -31,7 +31,7 @@ ocil_clause: 'the TLS reqcert is not set to demand' ocil: |- To verify the LDAP client backend demands a valid certificate from the server in - remote ldap access sessions, run the following command: + remote LDAP access sessions, run the following command:
$ sudo grep ldap_tls_reqcert /etc/sssd/sssd.conf
The output should return the following:
ldap_tls_reqcert = demand