From 6eeef4054d707b8b255e9fa600c4c7babffbf5f7 Mon Sep 17 00:00:00 2001

From: Matthew Burket <mburket@redhat.com>

Date: Mon, 2 Aug 2021 08:37:04 -0500

Subject: [PATCH] Add rule for RHEL-08-020090

---

 .../sssd/sssd_enable_certmap/rule.yml         | 58 +++++++++++++++++++

 .../sssd_enable_certmap/tests/default.fail.sh |  4 ++

 .../tests/with_section.pass.sh                |  7 +++

 products/rhel8/profiles/stig.profile          |  1 +

 shared/references/cce-redhat-avail.txt        |  1 -

 .../data/profile_stability/rhel8/stig.profile |  1 +

 .../profile_stability/rhel8/stig_gui.profile  |  1 +

 7 files changed, 72 insertions(+), 1 deletion(-)

 create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml

 create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh

 create mode 100644 linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh

diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml

new file mode 100644

index 0000000000..0614a2f4a0

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_enable_certmap/rule.yml

@@ -0,0 +1,58 @@

+documentation_complete: true

+

+prodtype: fedora,rhel8

+

+title: 'Enable Certmap in SSSD'

+

+description: |-

+   SSSD should be configured to verify the certificate of the user or group. To set this up

+    ensure that section like <tt>certmap/testing.test/rule_name</tt> is setup in

+   <tt>/etc/sssd/sssd.conf</tt>. For example

+   

+   [certmap/testing.test/rule_name]

+   matchrule =<SAN>.*EDIPI@mil

+   maprule = (userCertificate;binary={cert!bin})

+   domains = testing.test

+   

+

+rationale: |-

+   Without mapping the certificate used to authenticate to the user account, the ability to

+   determine the identity of the individual user or group will not be available for forensic

+   analysis.

+

+severity: medium

+

+identifiers:

+   cce@rhel8: CCE-86060-1

+

+references:

+   disa: CCI-000187

+   nist: IA-5 (2) (c)

+   stigid@rhel8: RHEL-08-020090

+

+warnings:

+    - general: |-

+        Automatic remediation of this control is not available, since all of the settings in

+        in the certmap need to be customized.

+

+ocil_clause: 'Certmap is not configured in SSSD'

+

+ocil: |-

+    To verify Certmap is enabled in SSSD, run the following command:

+    
$ cat sudo cat /etc/sssd/sssd.conf

+    If configured properly, output should contain section like the following

+    

+    [certmap/testing.test/rule_name]

+    matchrule =<SAN>.*EDIPI@mil

+    maprule = (userCertificate;binary={cert!bin})

+    domains = testing.test

+    

+

+template:

+    name: lineinfile

+    vars:

+      path: '/etc/sssd/sssd.conf'

+      text: '^\[certmap\/.+\/.+\]$'

+    backends:

+        ansible: "off"

+        bash: "off"

diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh

new file mode 100644

index 0000000000..1e31c0da19

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/default.fail.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+

+touch /etc/sssd/sssd.conf

+sed -i "s/\[certmap.*//g" /etc/sssd/sssd.conf

diff --git a/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh

new file mode 100644

index 0000000000..911e095f5d

--- /dev/null

+++ b/linux_os/guide/services/sssd/sssd_enable_certmap/tests/with_section.pass.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+cat >> /etc/sssd/sssd.conf<< EOF

+[certmap/testing.test/rule_name]

+matchrule =<SAN>.*EDIPI@mil

+maprule = (userCertificate;binary={cert!bin})

+domains = testing.test

+EOF

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index f17a7b88b1..ec0a3b1753 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -503,6 +503,7 @@ selections:

     # RHEL-08-020080

     # RHEL-08-020090

+    - sssd_enable_certmap

     # RHEL-08-020100

     - accounts_password_pam_retry

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index 73d025484e..e80557f033 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -186,7 +186,6 @@ CCE-86056-9

 CCE-86057-7

 CCE-86058-5

 CCE-86059-3

-CCE-86060-1

 CCE-86061-9

 CCE-86062-7

 CCE-86063-5

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 236e595604..bffa509b69 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -275,6 +275,7 @@ selections:

 - sshd_set_keepalive_0

 - sshd_use_strong_rng

 - sshd_x11_use_localhost

+- sssd_enable_certmap

 - sssd_enable_smartcards

 - sssd_offline_cred_expiration

 - sudo_remove_no_authenticate

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index 9973b5adef..c84ac75c7b 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -286,6 +286,7 @@ selections:

 - sshd_set_keepalive_0

 - sshd_use_strong_rng

 - sshd_x11_use_localhost

+- sssd_enable_certmap

 - sssd_enable_smartcards

 - sssd_offline_cred_expiration

 - sudo_remove_no_authenticate