Certificate status checking in SSSD

An XCCDF Rule

Description

Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards. Configuring certificate_verification to

ocsp_dgst=

ensures that certificates for multifactor solutions are checked via Online Certificate Status Protocol (OCSP).

Rationale

Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP) ensures the security of the system.

ID: xccdf_org.ssgproject.content_rule_sssd_certificate_verification
Severity: Medium
References: CCI-001954 CCI-004046

IA-2(11)

SRG-OS-000375-GPOS-00160 SRG-OS-000377-GPOS-00162

SV-230274r1017089_rule
Updated: about 1 month ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-RHEL-08-010400
  - NIST-800-53-IA-2(11)  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_certificate_verification
- name: XCCDF Value var_sssd_certificate_verification_digest_function # promote to variable
  set_fact:
    var_sssd_certificate_verification_digest_function: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sssd_certificate_verification_digest_function" use="legacy"/>
  tags:
    - always
- name: Ensure that "certificate_verification" is not set in /etc/sssd/sssd.conf
  ini_file:
    path: /etc/sssd/sssd.conf
    section: sssd
    option: certificate_verification
    state: absent
    mode: 384
  when: '"sssd-common" in ansible_facts.packages'
  tags:
  - DISA-STIG-RHEL-08-010400
  - NIST-800-53-IA-2(11)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_certificate_verification

- name: Ensure that "certificate_verification" is not set in  /etc/sssd/conf.d/*.conf
  ini_file:
    path: /etc/sssd/conf.d/*.conf
    section: sssd
    option: certificate_verification
    state: absent
    mode: 384
  when: '"sssd-common" in ansible_facts.packages'
  tags:
  - DISA-STIG-RHEL-08-010400
  - NIST-800-53-IA-2(11)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_certificate_verification

- name: Ensure that "certificate_verification" is set
  ini_file:
    path: /etc/sssd/conf.d/certificate_verification.conf
    section: sssd
    option: certificate_verification
    value: ocsp_dgst={{ var_sssd_certificate_verification_digest_function }}
    state: present
    mode: 384
  when: '"sssd-common" in ansible_facts.packages'
  tags:
  - DISA-STIG-RHEL-08-010400
  - NIST-800-53-IA-2(11)
  - configure_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_certificate_verification

# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd-common; then
var_sssd_certificate_verification_digest_function='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sssd_certificate_verification_digest_function" use="legacy"/>'


# sssd configuration files must be created with 600 permissions if they don't exist# otherwise the sssd module fails to start
OLD_UMASK=$(umask)
umask u=rw,go=

MAIN_CONF="/etc/sssd/conf.d/certificate_verification.conf"

found=false

# set value in all files if they contain section or key
for f in $(echo -n "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf"); do
    if [ ! -e "$f" ]; then
        continue
    fi

    # find key in section and change value
    if grep -qzosP "[[:space:]]*\[sssd\]([^\n\[]*\n+)+?[[:space:]]*certificate_verification" "$f"; then

            sed -i "s/certificate_verification[^(\n)]*/certificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function/" "$f"

            found=true

    # find section and add key = value to it
    elif grep -qs "[[:space:]]*\[sssd\]" "$f"; then

            sed -i "/[[:space:]]*\[sssd\]/a certificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" "$f"

            found=true
    fi
done

# if section not in any file, append section with key = value to FIRST file in files parameter
if ! $found ; then
    file=$(echo "$MAIN_CONF /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf" | cut -f1 -d ' ')
    mkdir -p "$(dirname "$file")"

    echo -e "[sssd]\ncertificate_verification=ocsp_dgst=$var_sssd_certificate_verification_digest_function" >> "$file"

fi

umask $OLD_UMASK

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Certificate status checking in SSSD

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script