- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12(3)
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_ldap_configure_tls_reqcert
- unknown_strategy
- name: Test for id_provider different than Active Directory (ad)
command: grep -qzosP '[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'
/etc/sssd/sssd.conf
register: test_id_provider
failed_when: false
changed_when: false
check_mode: false
when:
- '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12(3)
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_ldap_configure_tls_reqcert
- unknown_strategy
- name: Test for domain group
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
failed_when: false
changed_when: false
check_mode: false
when:
- '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12(3)
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_ldap_configure_tls_reqcert
- unknown_strategy
- name: Add default domain group and set ldap_tls_reqcert in sssd configuration (if
no domain there)
ini_file:
path: /etc/sssd/sssd.conf
section: '{{ item.section }}'
option: '{{ item.option }}'
value: '{{ item.value }}'
mode: 384
with_items:
- section: sssd
option: domains
value: default
- section: domain/default
option: ldap_tls_reqcert
value: demand
when:
- '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length < 1
- test_id_provider.stdout is defined
- test_id_provider.stdout | length < 1
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12(3)
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_ldap_configure_tls_reqcert
- unknown_strategy
- name: Set ldap_tls_reqcert in sssd configuration
ini_file:
path: /etc/sssd/sssd.conf
section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
option: ldap_tls_reqcert
value: demand
mode: 384
when:
- '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- test_grep_domain.stdout is defined
- test_grep_domain.stdout | length > 0
- test_id_provider.stdout is defined
- test_id_provider.stdout | length < 1
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12(3)
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_ldap_configure_tls_reqcert
- unknown_strategy
- name: Find all the conf files inside /etc/sssd/conf.d/
find:
paths: /etc/sssd/conf.d/
patterns: '*.conf'
register: sssd_conf_d_files
when:
- '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12(3)
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_ldap_configure_tls_reqcert
- unknown_strategy
- name: Set ldap_tls_reqcert to demand in /etc/sssd/conf.d/ if exists
ansible.builtin.replace:
path: '{{ item.path }}'
regexp: '[^#]*ldap_tls_reqcert.*'
replace: ldap_tls_reqcert = demand
with_items: '{{ sssd_conf_d_files.files }}'
when:
- '"sssd-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-SC-12(3)
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- sssd_ldap_configure_tls_reqcert
- unknown_strategy
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then
SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_reqcert'
AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'
DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"
# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep.
# Try to find [domain/..] and ldap_tls_reqcert in sssd.conf, if it exists, set to 'demand'
# if ldap_tls_reqcert isn't here, add it
# if [domain/..] doesn't exist, add it here for default domain
if grep -qvzosP $AD_REGEX $SSSD_CONF; then
if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
sed -i "s#ldap_tls_reqcert[^(\n)]*#ldap_tls_reqcert = demand#" $SSSD_CONF
elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
sed -i "/$DOMAIN_REGEX/a ldap_tls_reqcert = demand" $SSSD_CONF
else
if test -f "$SSSD_CONF"; then
echo -e "[domain/default]\nldap_tls_reqcert = demand" >> $SSSD_CONF
else
echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2
fi
fi
fi
readarray -t SSSD_CONF_D_FILES < <(find /etc/sssd/conf.d/ -name "*.conf")
for SSSD_CONF_D_FILE in "${SSSD_CONF_D_FILES[@]}"; do
sed -i "s#ldap_tls_reqcert[^(\n)]*#ldap_tls_reqcert = demand#" "$SSSD_CONF_D_FILE"
done
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi