Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server

An XCCDF Rule

Description

Configure SSSD to demand a valid certificate from the server to protect the integrity of LDAP remote access sessions by setting the

ldap_tls_reqcert

option in

/etc/sssd/sssd.conf

to demand.

Rationale

Without a valid certificate presented to the LDAP client backend, the identity of a server can be forged compromising LDAP remote access sessions.

ID: xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_reqcert
Severity: Medium
References: CCI-001453

CM-6(a) SC-12(3)

SRG-OS-000250-GPOS-00093

R67
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_reqcert
  - unknown_strategy

- name: Test for id_provider different than Active Directory (ad)
  command: grep -qzosP '[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'
    /etc/sssd/sssd.conf
  register: test_id_provider
  failed_when: false
  changed_when: false
  check_mode: false
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_reqcert
  - unknown_strategy

- name: Test for domain group
  command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
  register: test_grep_domain
  failed_when: false
  changed_when: false
  check_mode: false
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_reqcert
  - unknown_strategy

- name: Add default domain group and set ldap_tls_reqcert in sssd configuration (if
    no domain there)
  ini_file:
    path: /etc/sssd/sssd.conf
    section: '{{ item.section }}'
    option: '{{ item.option }}'
    value: '{{ item.value }}'
    mode: 384
  with_items:
  - section: sssd
    option: domains
    value: default
  - section: domain/default
    option: ldap_tls_reqcert
    value: demand
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  - test_grep_domain.stdout is defined
  - test_grep_domain.stdout | length < 1
  - test_id_provider.stdout is defined
  - test_id_provider.stdout | length < 1
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_reqcert
  - unknown_strategy

- name: Set ldap_tls_reqcert in sssd configuration
  ini_file:
    path: /etc/sssd/sssd.conf
    section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
    option: ldap_tls_reqcert
    value: demand
    mode: 384
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  - test_grep_domain.stdout is defined
  - test_grep_domain.stdout | length > 0
  - test_id_provider.stdout is defined
  - test_id_provider.stdout | length < 1
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_reqcert
  - unknown_strategy

- name: Find all the conf files inside /etc/sssd/conf.d/
  find:
    paths: /etc/sssd/conf.d/
    patterns: '*.conf'
  register: sssd_conf_d_files
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_reqcert
  - unknown_strategy

- name: Set ldap_tls_reqcert to demand in /etc/sssd/conf.d/ if exists
  ansible.builtin.replace:
    path: '{{ item.path }}'
    regexp: '[^#]*ldap_tls_reqcert.*'
    replace: ldap_tls_reqcert = demand
  with_items: '{{ sssd_conf_d_files.files }}'
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_reqcert
  - unknown_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && rpm --quiet -q sssd-common; then

SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_reqcert'
AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"

# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep.
# Try to find [domain/..] and ldap_tls_reqcert in sssd.conf, if it exists, set to 'demand'
# if ldap_tls_reqcert isn't here, add it
# if [domain/..] doesn't exist, add it here for default domain
if grep -qvzosP $AD_REGEX $SSSD_CONF; then
        if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
                
                sed -i "s#ldap_tls_reqcert[^(\n)]*#ldap_tls_reqcert = demand#" $SSSD_CONF
        elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
                sed -i "/$DOMAIN_REGEX/a ldap_tls_reqcert = demand" $SSSD_CONF
        else
                if test -f "$SSSD_CONF"; then
                        echo -e "[domain/default]\nldap_tls_reqcert = demand" >> $SSSD_CONF
                else
                        echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2
                fi
        fi
fi

readarray -t SSSD_CONF_D_FILES < <(find /etc/sssd/conf.d/ -name "*.conf")
for SSSD_CONF_D_FILE in "${SSSD_CONF_D_FILES[@]}"; do
    sed -i "s#ldap_tls_reqcert[^(\n)]*#ldap_tls_reqcert = demand#" "$SSSD_CONF_D_FILE"
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure SSSD LDAP Backend Client to Demand a Valid Certificate from the Server

Description

Rationale

Remediation - Ansible

Remediation - Shell Script