Enable Certmap in SSSD

An XCCDF Rule

Details
Profiles
Prose

Description

SSSD should be configured to verify the certificate of the user or group. To set this up ensure that section like certmap/testing.test/rule_name is setup in /etc/sssd/sssd.conf. For example

[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test

warning alert: Warning

Automatic remediation of this control is not available, since all of the settings in in the certmap need to be customized.

Rationale

Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.

ID: xccdf_org.ssgproject.content_rule_sssd_enable_certmap
Severity: Medium
References: CCI-000187

IA-5 (2) (c)

SRG-OS-000068-GPOS-00036
Updated: about 1 year ago