Certificate status checking in SSSD
An XCCDF Rule
Description
Multifactor solutions that require devices separate from information systems gaining access include,
for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.
Configuring certificate_verification
to ocsp_dgst=
ensures that certificates for
multifactor solutions are checked via Online Certificate Status Protocol (OCSP).
Rationale
Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP) ensures the security of the system.
- ID
- xccdf_org.ssgproject.content_rule_sssd_certificate_verification
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q sssd-common; then
var_sssd_certificate_verification_digest_function='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sssd_certificate_verification_digest_function" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-08-010400
- NIST-800-53-IA-2(11)