File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (75 lines) | stat: -rw-r--r-- 2,350 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
documentation_complete: true


title: 'Enable Certmap in SSSD'

description: |-
   SSSD should be configured to verify the certificate of the user or group. To set this up
    ensure that section like <tt>certmap/testing.test/rule_name</tt> is setup in
   <tt>/etc/sssd/sssd.conf</tt>. For example
   <pre>
   [certmap/testing.test/rule_name]
   matchrule =&lt;SAN&gt;.*EDIPI@mil
   maprule = (userCertificate;binary={cert!bin})
   domains = testing.test
   </pre>

rationale: |-
   Without mapping the certificate used to authenticate to the user account, the ability to
   determine the identity of the individual user or group will not be available for forensic
   analysis.

severity: medium

identifiers:
   cce@rhel8: CCE-86060-1
   cce@rhel9: CCE-89737-1
   cce@rhel10: CCE-90713-9

references:
   nist: IA-5 (2) (c)
   srg: SRG-OS-000068-GPOS-00036
   stigid@ol8: OL08-00-020090

warnings:
    - general: |-
        Automatic remediation of this control is not available, since all of the settings in
        in the certmap need to be customized.

ocil_clause: 'Certmap is not configured in SSSD'

ocil: |-
    To verify Certmap is enabled in SSSD, run the following command:
    <pre>$ sudo cat /etc/sssd/sssd.conf</pre>
    If configured properly, output should contain section like the following
    <pre>
    [certmap/testing.test/rule_name]
    matchrule =&lt;SAN&gt;.*EDIPI@mil
    maprule = (userCertificate;binary={cert!bin})
    domains = testing.test
    </pre>

fixtext: |-
    Configure {{{ full_name }}} to map the authenticated identity to the user or group account by adding or modifying the certmap section of the "/etc/sssd/sssd.conf" file based on the following example:

    [certmap/testing.test/rule_name]
    matchrule =<SAN>.*EDIPI@mil
    maprule = (userCertificate;binary={cert!bin})
    dmains = testing.test

    The "sssd" service must be restarted for the changes to take effect. To restart the "sssd" service, run the following command:

    $ sudo systemctl restart sssd.service

srg_requirement: |-
    {{{ full_name }}} must map the authenticated identity to the user or group account for PKI-based authentication.

template:
    name: lineinfile
    vars:
      path: '/etc/sssd/sssd.conf'
      text: '\[certmap\/.+\/.+\]'
      escape_text: "false"
    backends:
        ansible: "off"
        bash: "off"