Configure SSSD LDAP Backend Client CA Certificate Location

An XCCDF Rule

Description

Configure SSSD to implement cryptography to protect the integrity of LDAP remote access sessions. By setting the

ldap_tls_cacertdir

option in

/etc/sssd/sssd.conf

to point to the path for the X.509 certificates used for peer authentication.

ldap_tls_cacertdir /path/to/tls/cacert

Rationale

Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Cryptographic mechanisms used for protecting the integrity of information include, for example, signed hash functions using asymmetric cryptography enabling distribution of the public key to verify the hash information while maintaining the confidentiality of the key used to generate the hash.

ID: xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir
Severity: Medium
References: CCI-001453

CM-6(a) SC-12(3)

SRG-OS-000250-GPOS-00093

OL07-00-040200

SV-221845r991554_rule
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-OL07-00-040200
  - NIST-800-53-CM-6(a)  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_ca_dir
  - unknown_strategy
- name: XCCDF Value var_sssd_ldap_tls_ca_dir # promote to variable
  set_fact:
    var_sssd_ldap_tls_ca_dir: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sssd_ldap_tls_ca_dir" use="legacy"/>
  tags:
    - always

- name: Test for id_provider different than Active Directory (ad)
  command: grep -qzosP '[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'
    /etc/sssd/sssd.conf
  register: test_id_provider
  failed_when: false
  changed_when: false
  check_mode: false
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  tags:
  - DISA-STIG-OL07-00-040200
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_ca_dir
  - unknown_strategy

- name: Test for domain group
  command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
  register: test_grep_domain
  failed_when: false
  changed_when: false
  check_mode: false
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  tags:
  - DISA-STIG-OL07-00-040200
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_ca_dir
  - unknown_strategy

- name: Add default domain group and set ldap_tls_cacertdir in sssd configuration
    (if no domain there)
  ini_file:
    path: /etc/sssd/sssd.conf
    section: '{{ item.section }}'
    option: '{{ item.option }}'
    value: '{{ item.value }}'
    mode: 384
  with_items:
  - section: sssd
    option: domains
    value: default
  - section: domain/default
    option: ldap_tls_cacertdir
    value: '{{ var_sssd_ldap_tls_ca_dir }}'
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  - test_grep_domain.stdout is defined
  - test_grep_domain.stdout | length < 1
  - test_id_provider.stdout is defined
  - test_id_provider.stdout | length < 1
  tags:
  - DISA-STIG-OL07-00-040200
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_ca_dir
  - unknown_strategy

- name: Set ldap_tls_cacertdir in sssd configuration
  ini_file:
    path: /etc/sssd/sssd.conf
    section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
    option: ldap_tls_cacertdir
    value: '{{ var_sssd_ldap_tls_ca_dir }}'
    mode: 384
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  - test_grep_domain.stdout is defined
  - test_grep_domain.stdout | length > 0
  - test_id_provider.stdout is defined
  - test_id_provider.stdout | length < 1
  tags:
  - DISA-STIG-OL07-00-040200
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_ca_dir
  - unknown_strategy

- name: Find all the conf files inside /etc/sssd/conf.d/
  find:
    paths: /etc/sssd/conf.d/
    patterns: '*.conf'
  register: sssd_conf_d_files
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  tags:
  - DISA-STIG-OL07-00-040200
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_ca_dir
  - unknown_strategy

- name: Set ldap_tls_cacertdir to {{ var_sssd_ldap_tls_ca_dir }} in /etc/sssd/conf.d/
    if exists
  ansible.builtin.replace:
    path: '{{ item.path }}'
    regexp: '[^#]*ldap_tls_cacertdir.*'
    replace: ldap_tls_cacertdir = {{ var_sssd_ldap_tls_ca_dir }}
  with_items: '{{ sssd_conf_d_files.files }}'
  when:
  - '"kernel" in ansible_facts.packages'
  - '"sssd-common" in ansible_facts.packages'
  tags:
  - DISA-STIG-OL07-00-040200
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-12(3)
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - sssd_ldap_configure_tls_ca_dir
  - unknown_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && rpm --quiet -q sssd-common; then

var_sssd_ldap_tls_ca_dir='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sssd_ldap_tls_ca_dir" use="legacy"/>'

SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_tls_cacertdir'
AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'
DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"

# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep.
# Try to find [domain/..] and ldap_tls_cacertdir in sssd.conf, if it exists, set to '$var_sssd_ldap_tls_ca_dir'
# if ldap_tls_cacertdir isn't here, add it
# if [domain/..] doesn't exist, add it here for default domain
if grep -qvzosP $AD_REGEX $SSSD_CONF; then
        if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
                
                sed -i "s#ldap_tls_cacertdir[^(\n)]*#ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir#" $SSSD_CONF
        elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
                sed -i "/$DOMAIN_REGEX/a ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" $SSSD_CONF
        else
                if test -f "$SSSD_CONF"; then
                        echo -e "[domain/default]\nldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir" >> $SSSD_CONF
                else
                        echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2
                fi
        fi
fi

readarray -t SSSD_CONF_D_FILES < <(find /etc/sssd/conf.d/ -name "*.conf")
for SSSD_CONF_D_FILE in "${SSSD_CONF_D_FILES[@]}"; do
    sed -i "s#ldap_tls_cacertdir[^(\n)]*#ldap_tls_cacertdir = $var_sssd_ldap_tls_ca_dir#" "$SSSD_CONF_D_FILE"
done

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure SSSD LDAP Backend Client CA Certificate Location

Description

Rationale

Remediation - Ansible

Remediation - Shell Script