diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
index 9fb218a0f7..a056742417 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
@@ -42,3 +42,5 @@ ocil: |-
<pre>$ sudo grep ldap_tls_cacert /etc/sssd/sssd.conf</pre>
The output should return the following with a correctly configured CA cert path:
<pre>ldap_tls_cacert /path/to/tls/ca.cert</pre>
+
+platform: sssd-ldap
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
index a6e8eeaad3..202fc7f444 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/ansible/shared.yml
@@ -3,39 +3,6 @@
# strategy = unknown
# complexity = low
# disruption = medium
-- (xccdf-var var_sssd_ldap_tls_ca_dir)
+{{{ ansible_instantiate_variables("var_sssd_ldap_tls_ca_dir") }}}
-- name: "Test for domain group"
- command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
- register: test_grep_domain
- ignore_errors: yes
- changed_when: False
- check_mode: no
-
-- name: "Add default domain group and set CA directory (if no domain there)"
- ini_file:
- path: /etc/sssd/sssd.conf
- section: "{{ item.section }}"
- option: "{{ item.option }}"
- value: "{{ item.value }}"
- create: yes
- mode: 0600
- with_items:
- - { section: sssd, option: domains, value: default}
- - { section: domain/default, option: id_provider, value: files }
- - { section: domain/default, option: ldap_tls_cacertdir, value: "{{ var_sssd_ldap_tls_ca_dir }}" }
- when:
- - test_grep_domain.stdout is defined
- - test_grep_domain.stdout | length < 1
-
-- name: "Configure LDAPs path to CA directory"
- ini_file:
- path: /etc/sssd/sssd.conf
- section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
- option: ldap_tls_cacertdir
- value: "{{ var_sssd_ldap_tls_ca_dir }}"
- create: yes
- mode: 0600
- when:
- - test_grep_domain.stdout is defined
- - test_grep_domain.stdout | length > 0
+{{{ ansible_sssd_ldap_config(parameter="ldap_tls_cacertdir", value="{{ var_sssd_ldap_tls_ca_dir }}") }}}
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh
index 91464ef04c..8a0d04ad78 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/bash/shared.sh
@@ -2,20 +2,7 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-populate var_sssd_ldap_tls_ca_dir
-SSSD_CONF="/etc/sssd/sssd.conf"
-LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_cacertdir'
-DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
+{{{ bash_instantiate_variables("var_sssd_ldap_tls_ca_dir") }}}
-# Try find [domain/..] and ldap_tls_cacertdir in sssd.conf, if it exists, set to CA directory
-# if it isn't here, add it, if [domain/..] doesn't exist, add it here for default domain
-if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
- sed -i "s~ldap_tls_cacertdir[^(\n)]*~ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir~" $SSSD_CONF
-elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
- sed -i "/$DOMAIN_REGEX/a ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" $SSSD_CONF
-else
- mkdir -p /etc/sssd
- touch $SSSD_CONF
- echo -e "[domain/default]\nldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" >> $SSSD_CONF
-fi
+{{{ bash_sssd_ldap_config(parameter="ldap_tls_cacertdir", value="$var_sssd_ldap_tls_ca_dir") }}}
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
index d554bc6f18..570aa1baf9 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
@@ -28,11 +28,11 @@ identifiers:
cce@rhel8: CCE-82456-5
references:
- stigid@ol7: OL07-00-040190
+ stigid@ol7: OL07-00-040200
disa: CCI-001453
nist: SC-12(3),CM-6(a)
srg: SRG-OS-000250-GPOS-00093
- stigid@rhel7: RHEL-07-040190
+ stigid@rhel7: RHEL-07-040200
ocil_clause: 'the TLS CA cert is not configured'
@@ -42,3 +42,5 @@ ocil: |-
<pre>$ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf</pre>
The output should return the following with a correctly configured CA cert path:
<pre>ldap_tls_cacertdir /path/to/tls/cacert</pre>
+
+platform: sssd-ldap
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh
index 82e56d89a6..ebd2a37df8 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/domain_not_there.fail.sh
@@ -4,4 +4,7 @@
. $SHARED/setup_config_files.sh
setup_correct_sssd_config
+yum -y install /usr/lib/systemd/system/sssd.service
+systemctl enable sssd
+
sed -i '/\[domain/d' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh
index 82bff74acf..99ca3f8fba 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir.pass.sh
@@ -3,3 +3,6 @@
. $SHARED/setup_config_files.sh
setup_correct_sssd_config
+
+yum -y install /usr/lib/systemd/system/sssd.service
+systemctl enable sssd
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh
index 8e06bfae6b..5fb3609015 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_bad_value.fail.sh
@@ -4,5 +4,8 @@
. $SHARED/setup_config_files.sh
setup_correct_sssd_config
+yum -y install /usr/lib/systemd/system/sssd.service
+systemctl enable sssd
+
sed -i 's:\(ldap_tls_cacertdir = \).*:\1/tmp/etc/openldap/cacerts:g' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh
index 58b1324e09..9dd958933d 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_absolute_path.fail.sh
@@ -4,4 +4,7 @@
. $SHARED/setup_config_files.sh
setup_correct_sssd_config
+yum -y install /usr/lib/systemd/system/sssd.service
+systemctl enable sssd
+
sed -i 's:\(ldap_tls_cacertdir = \)/:\1:g' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh
index 38e88a1dc4..5a09eaf52f 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/tests/ldap_tls_cacertdir_not_there.fail.sh
@@ -4,4 +4,7 @@
. $SHARED/setup_config_files.sh
setup_correct_sssd_config
+yum -y install /usr/lib/systemd/system/sssd.service
+systemctl enable sssd
+
sed -i '/ldap_tls_cacertdir/d' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
index 07f4b1ea5a..b38bc41fe3 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/ansible/shared.yml
@@ -4,44 +4,4 @@
# complexity = low
# disruption = medium
-- name: "Set LDAP to be used for authentication"
- lineinfile:
- path: /etc/sysconfig/authconfig
- regexp: '^USELDAPAUTH='
- line: 'USELDAPAUTH=yes'
- create: yes
-
-- name: "Test for domain group"
- command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
- register: test_grep_domain
- ignore_errors: yes
- changed_when: False
- check_mode: no
-
-- name: "Add default domain group and use STARTTLS (if no domain there)"
- ini_file:
- path: /etc/sssd/sssd.conf
- section: "{{ item.section }}"
- option: "{{ item.option }}"
- value: "{{ item.value }}"
- create: yes
- mode: 0600
- with_items:
- - { section: sssd, option: domains, value: default}
- - { section: domain/default, option: id_provider, value: files }
- - { section: domain/default, option: ldap_id_use_start_tls, value: true}
- when:
- - test_grep_domain.stdout is defined
- - test_grep_domain.stdout | length < 1
-
-- name: "Configure LDAP to use STARTTLS"
- ini_file:
- path: /etc/sssd/sssd.conf
- section: "{{ test_grep_domain.stdout | regex_replace('\\[(.*)\\]','\\1') }}"
- option: ldap_id_use_start_tls
- value: true
- create: yes
- mode: 0600
- when:
- - test_grep_domain.stdout is defined
- - test_grep_domain.stdout | length > 0
+{{{ ansible_sssd_ldap_config(parameter="ldap_id_use_start_tls", value="true") }}}
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh
index 4b1d3d2544..805f7ad326 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/bash/shared.sh
@@ -3,27 +3,5 @@
# Include source function library.
. /usr/share/scap-security-guide/remediation_functions
-AUTHCONFIG="/etc/sysconfig/authconfig"
-USELDAPAUTH_REGEX="^USELDAPAUTH="
-SSSD_CONF="/etc/sssd/sssd.conf"
-LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls'
-DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
+{{{ bash_sssd_ldap_config(parameter="ldap_id_use_start_tls", value="true") }}}
-# Try find USELDAPAUTH in authconfig. If its here set to 'yes', otherwise append USELDAPAUTH=yes
-grep -qs "^USELDAPAUTH=" "$AUTHCONFIG" && sed -i 's/^USELDAPAUTH=.*/USELDAPAUTH=yes/g' $AUTHCONFIG
-if ! [ $? -eq 0 ]; then
- echo "USELDAPAUTH=yes" >> $AUTHCONFIG
-fi
-
-# Try find [domain/..] and ldap_id_use_start_tls in sssd.conf, if it exists, set to 'True'
-# if ldap_id_use_start_tls isn't here, add it
-# if [domain/..] doesn't exist, add it here for default domain
-if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
- sed -i 's/ldap_id_use_start_tls[^(\n)]*/ldap_id_use_start_tls = True/' $SSSD_CONF
-elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
- sed -i "/$DOMAIN_REGEX/a ldap_id_use_start_tls = True" $SSSD_CONF
-else
- mkdir -p /etc/sssd
- touch $SSSD_CONF
- echo -e "[domain/default]\nldap_id_use_start_tls = True" >> $SSSD_CONF
-fi
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
index a196220340..ed502062e4 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
@@ -2,40 +2,23 @@
<definition class="compliance" id="sssd_ldap_start_tls" version="1">
<metadata>
<title>Configure SSSD LDAP Backend to Use TLS For All Transactions</title>
- <affected family="unix">
- <platform>multi_platform_wrlinux</platform>
- <platform>multi_platform_rhel</platform>
- <platform>multi_platform_ol</platform>
- </affected>
+ {{{- oval_affected(products) }}}
<description>LDAP should be used for authentication and use STARTTLS</description>
</metadata>
- <criteria operator="AND">
- <criterion comment="Using LDAP for authentication set within /etc/sysconfig/authconfig" test_ref="test_use_ldap_authentication" />
+ <criteria>
<criterion comment="LDAP uses STARTTLS set within /etc/sssd/sssd.conf" test_ref="test_use_starttls" />
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist"
- comment="Ensures that LDAP is being used for authentication"
- id="test_use_ldap_authentication" version="1">
- <ind:object object_ref="object_use_ldap_authentication_authconfig" />
- </ind:textfilecontent54_test>
-
<ind:textfilecontent54_test check="all" check_existence="all_exist"
comment="Ensures that LDAP uses STARTTLS"
id="test_use_starttls" version="1">
<ind:object object_ref="object_use_starttls_sssd_conf" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_use_ldap_authentication_authconfig" version="1">
- <ind:filepath>/etc/sysconfig/authconfig</ind:filepath>
- <ind:pattern operation="pattern match">^USELDAPAUTH=((?i)yes)[ ]*$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-
<ind:textfilecontent54_object id="object_use_starttls_sssd_conf" version="1">
<ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_id_use_start_tls[ ]*=[ ]*((?i)true)[ ]*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_id_use_start_tls[ \t]*=[ \t]*((?i)true)[ \t]*$</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
index b81a8b8ff5..452de1d014 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml
@@ -5,15 +5,14 @@ prodtype: ol7,ol8,rhel7,rhel8,wrlinux1019
title: 'Configure SSSD LDAP Backend to Use TLS For All Transactions'
description: |-
- This check verifies that {{{ full_name }}} implements cryptography
- to protect the integrity of remote LDAP authentication sessions.
+ The LDAP client should be configured to implement TLS for the integrity
+ of all remote LDAP authentication sessions. If the <tt>id_provider</tt> is
+ set to <tt>ldap</tt> or <tt>ipa</tt> in <tt>/etc/sssd/sssd.conf</tt> or any of the
+ <tt>/etc/sssd/sssd.conf.d</tt> configuration files, <tt>ldap_id_use_start_tls</tt>
+ must be set to <tt>true</tt>.
<br /><br />
- To determine if LDAP is being used for authentication, use the following
- command:
- <pre>$ sudo grep -i useldapauth /etc/sysconfig/authconfig</pre>
- <br /><br />
- If <tt>USELDAPAUTH=yes</tt>, then LDAP is being used. To check if LDAP is
- configured to use TLS, use the following command:
+ To check if LDAP is configured to use TLS when <tt>id_provider</tt> is
+ set to <tt>ldap</tt> or <tt>ipa</tt>, use the following command:
<pre>$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf</pre>
rationale: |-
@@ -41,8 +40,10 @@ references:
iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
cis-csc: 11,12,14,15,3,8,9
-ocil_clause: 'the ''ldap_id_use_start_tls'' option is not set to ''True'''
+ocil_clause: 'the ''ldap_id_use_start_tls'' option is not set to ''true'''
ocil: |-
If the system is not using TLS, set the <tt>ldap_id_use_start_tls</tt> option
- in <tt>/etc/sssd/sssd.conf</tt> to <tt>True</tt>.
+ in <tt>/etc/sssd/sssd.conf</tt> to <tt>true</tt>.
+
+platform: sssd-ldap
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ad_id_provider_and_tls_false.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ad_id_provider_and_tls_false.notapplicable.sh
new file mode 100644
index 0000000000..83ae606ece
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ad_id_provider_and_tls_false.notapplicable.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
+
+yum -y install /usr/lib/systemd/system/sssd.service
+systemctl enable sssd
+
+sed -i 's/ldap_id_use_start_tls = true/ldap_id_use_start_tls = false/I' /etc/sssd/sssd.conf
+sed -i 's/id_provider = ldap/id_provider = ad/I' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value.pass.sh
similarity index 50%
rename from linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_not_there.fail.sh
rename to linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value.pass.sh
index 75a80d37cc..99ca3f8fba 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_not_there.fail.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value.pass.sh
@@ -2,6 +2,7 @@
# profiles = xccdf_org.ssgproject.content_profile_stig
. $SHARED/setup_config_files.sh
-setup_correct_auth_and_sssd_configs
+setup_correct_sssd_config
-sed -i '/USELDAPAUTH/d' /etc/sysconfig/authconfig
+yum -y install /usr/lib/systemd/system/sssd.service
+systemctl enable sssd
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/id_provider_is_set_to_ad.notapplicable.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/id_provider_is_set_to_ad.notapplicable.sh
new file mode 100644
index 0000000000..9ec246444f
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/id_provider_is_set_to_ad.notapplicable.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
+
+yum -y install /usr/lib/systemd/system/sssd.service
+systemctl enable sssd
+
+sed -i 's/id_provider = ldap/id_provider = ad/I' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_id_provider_and_tls_false.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_id_provider_and_tls_false.fail.sh
new file mode 100644
index 0000000000..f0942ddf74
--- /dev/null
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_id_provider_and_tls_false.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
+
+yum -y install /usr/lib/systemd/system/sssd.service
+systemctl enable sssd
+
+sed -i 's/ldap_id_use_start_tls = true/ldap_id_use_start_tls = false/I' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_false.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_false.fail.sh
deleted file mode 100644
index 4bbf0ad01a..0000000000
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_false.fail.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_stig
-
-. $SHARED/setup_config_files.sh
-setup_correct_auth_and_sssd_configs
-
-sed -i 's/ldap_id_use_start_tls = True/ldap_id_use_start_tls = False/' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh
index 0ce168ed97..3952176952 100644
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh
+++ b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/ldap_use_start_tls_not_there.fail.sh
@@ -2,6 +2,9 @@
# profiles = xccdf_org.ssgproject.content_profile_stig
. $SHARED/setup_config_files.sh
-setup_correct_auth_and_sssd_configs
+setup_correct_sssd_config
+
+yum -y install /usr/lib/systemd/system/sssd.service
+systemctl enable sssd
sed -i '/ldap_id_use_start_tls/d' /etc/sssd/sssd.conf
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_and_start_tls.pass.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_and_start_tls.pass.sh
deleted file mode 100644
index f8ca33b8d4..0000000000
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_and_start_tls.pass.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_stig
-
-. $SHARED/setup_config_files.sh
-setup_correct_auth_and_sssd_configs
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_no.fail.sh b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_no.fail.sh
deleted file mode 100644
index 64b0c21c28..0000000000
--- a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/useldapauth_no.fail.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/bash
-# profiles = xccdf_org.ssgproject.content_profile_stig
-
-. $SHARED/setup_config_files.sh
-setup_correct_auth_and_sssd_configs
-
-sed -i 's/USELDAPAUTH=yes/USELDAPAUTH=no/' /etc/sysconfig/authconfig
diff --git a/ol7/cpe/ol7-cpe-dictionary.xml b/ol7/cpe/ol7-cpe-dictionary.xml
index 5d4691aaf6..59c5c728aa 100644
--- a/ol7/cpe/ol7-cpe-dictionary.xml
+++ b/ol7/cpe/ol7-cpe-dictionary.xml
@@ -76,4 +76,8 @@
<title xml:lang="en-us">System uses zipl</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:sssd-ldap">
+ <title xml:lang="en-us">SSSD is configured to use LDAP</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
+ </cpe-item>
</cpe-list>
diff --git a/ol8/cpe/ol8-cpe-dictionary.xml b/ol8/cpe/ol8-cpe-dictionary.xml
index 35167b1f70..473ba36235 100644
--- a/ol8/cpe/ol8-cpe-dictionary.xml
+++ b/ol8/cpe/ol8-cpe-dictionary.xml
@@ -71,4 +71,8 @@
<title xml:lang="en-us">System uses zipl</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:sssd-ldap">
+ <title xml:lang="en-us">SSSD is configured to use LDAP</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
+ </cpe-item>
</cpe-list>
diff --git a/rhel7/cpe/rhel7-cpe-dictionary.xml b/rhel7/cpe/rhel7-cpe-dictionary.xml
index bc2aa869e8..e6b88f55cd 100644
--- a/rhel7/cpe/rhel7-cpe-dictionary.xml
+++ b/rhel7/cpe/rhel7-cpe-dictionary.xml
@@ -106,4 +106,8 @@
<title xml:lang="en-us">System uses zipl</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:sssd-ldap">
+ <title xml:lang="en-us">SSSD is configured to use LDAP</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
+ </cpe-item>
</cpe-list>
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 41745ea4c3..3d8647de70 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -235,6 +235,7 @@ selections:
- accounts_tmout
- sshd_enable_warning_banner
- sssd_ldap_start_tls
+ - sssd_ldap_start_tls.severity=medium
- sssd_ldap_configure_tls_ca_dir
- sssd_ldap_configure_tls_ca
- sysctl_kernel_randomize_va_space
diff --git a/rhel8/cpe/rhel8-cpe-dictionary.xml b/rhel8/cpe/rhel8-cpe-dictionary.xml
index eab827291f..699251868d 100644
--- a/rhel8/cpe/rhel8-cpe-dictionary.xml
+++ b/rhel8/cpe/rhel8-cpe-dictionary.xml
@@ -76,4 +76,8 @@
<title xml:lang="en-us">System uses zipl</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:sssd-ldap">
+ <title xml:lang="en-us">SSSD is configured to use LDAP</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
+ </cpe-item>
</cpe-list>
diff --git a/shared/checks/oval/sssd_conf_uses_ldap.xml b/shared/checks/oval/sssd_conf_uses_ldap.xml
new file mode 100644
index 0000000000..985c1bd8ef
--- /dev/null
+++ b/shared/checks/oval/sssd_conf_uses_ldap.xml
@@ -0,0 +1,28 @@
+<def-group>
+ <definition class="inventory" id="sssd_conf_uses_ldap" version="1">
+ <metadata>
+ <title>SSSD is configured to use LDAP</title>
+ <affected family="unix">
+ <platform>multi_platform_all</platform>
+ </affected>
+ <description>Identification provider is not set to ad within /etc/sssd/sssd.conf</description>
+ <reference ref_id="cpe:/a:sssd-ldap" source="CPE" />
+ </metadata>
+ <criteria>
+ <criterion comment="Identification provider is not set to ad within /etc/sssd/sssd.conf"
+ test_ref="test_id_provider_is_set_to_ad" negate="true"/>
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="all_exist"
+ comment="SSSD Configuration is set to use Active Directory"
+ id="test_id_provider_is_set_to_ad" version="1">
+ <ind:object object_ref="object_id_provider_is_set_to_ad"/>
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_id_provider_is_set_to_ad" version="1">
+ <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
+ <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index ecaf14ced9..babce11aff 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -534,3 +534,29 @@
<description>{{{ description }}}</description>
</metadata>
{{%- endmacro %}}
+
+
+{{% macro bash_sssd_ldap_config(parameter, value) -%}}
+SSSD_CONF="/etc/sssd/sssd.conf"
+LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*{{{ parameter }}}'
+AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'
+DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
+
+# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep.
+# Try to find [domain/..] and {{{ parameter }}} in sssd.conf, if it exists, set to '{{{ value }}}'
+# if {{{ parameter }}} isn't here, add it
+# if [domain/..] doesn't exist, add it here for default domain
+if grep -qvzosP $AD_REGEX $SSSD_CONF; then
+ if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
+ sed -i "s#{{{ parameter }}}[^(\n)]*#{{{ parameter }}} = {{{ value }}}#" $SSSD_CONF
+ elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
+ sed -i "/$DOMAIN_REGEX/a {{{ parameter }}} = {{{ value }}}" $SSSD_CONF
+ else
+ if test -f "$SSSD_CONF"; then
+ echo -e "[domain/default]\n{{{ parameter }}} = {{{ value }}}" >> $SSSD_CONF
+ else
+ echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2
+ fi
+ fi
+fi
+{{%- endmacro %}}
diff --git a/ssg/constants.py b/ssg/constants.py
index 3f9d7d37ce..2af2c580a2 100644
--- a/ssg/constants.py
+++ b/ssg/constants.py
@@ -496,6 +496,7 @@
"pam": "cpe:/a:pam",
"login_defs": "cpe:/a:login_defs",
"sssd": "cpe:/a:sssd",
+ "sssd-ldap": "cpe:/a:sssd-ldap",
"systemd": "cpe:/a:systemd",
"yum": "cpe:/a:yum",
"zipl": "cpe:/a:zipl",
diff --git a/tests/shared/setup_config_files.sh b/tests/shared/setup_config_files.sh
index 957eab77cb..5bee91890f 100644
--- a/tests/shared/setup_config_files.sh
+++ b/tests/shared/setup_config_files.sh
@@ -1,15 +1,8 @@
#!/bin/bash
-configs_dir="$( dirname "${BASH_SOURCE[0]}" )/example-configs"
+configs_dir="$( dirname "${BASH_SOURCE[0]}" )"
setup_correct_sssd_config() {
mkdir -p /etc/sssd
cp "$configs_dir/sssd.conf" /etc/sssd/
}
-
-setup_correct_auth_and_sssd_configs() {
- mkdir -p /etc/sysconfig
- cp "$configs_dir/authconfig" /etc/sysconfig/
-
- setup_correct_sssd_config
-}
diff --git a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
index ef7e803505..f32e69e118 100644
--- a/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
+++ b/wrlinux1019/cpe/wrlinux1019-cpe-dictionary.xml
@@ -75,4 +75,8 @@
<title xml:lang="en-us">System uses zipl</title>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">installed_env_has_zipl_package</check>
</cpe-item>
+ <cpe-item name="cpe:/a:sssd-ldap">
+ <title xml:lang="en-us">SSSD is configured to use LDAP</title>
+ <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="filename">sssd_conf_uses_ldap</check>
+ </cpe-item>
</cpe-list>