Configure SSSD LDAP Backend to Use TLS For All Transactions

An XCCDF Rule

Description

The LDAP client should be configured to implement TLS for the integrity of all remote LDAP authentication sessions. If the id_provider is set to ldap or ipa in /etc/sssd/sssd.conf or any of the /etc/sssd/sssd.conf.d configuration files, ldap_id_use_start_tls must be set to true.

To check if LDAP is configured to use TLS when id_provider is set to ldap or ipa, use the following command:

$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf

Rationale

Without cryptographic integrity protections, information can be altered by unauthorized users without detection. The ssl directive specifies whether to use TLS or not. If not specified it will default to no. It should be set to start_tls rather than doing LDAP over SSL.

ID: xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls
Severity: High
References: 11 12 14 15 3 8 9

APO13.01 BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS01.04 DSS05.02 DSS05.03 DSS05.05 DSS06.06

CCI-001453

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 3.1 SR 3.5 SR 3.8 SR 4.1 SR 4.3 SR 5.1 SR 5.2 SR 5.3 SR 7.1 SR 7.6

A.11.2.6 A.12.1.2 A.12.5.1 A.12.6.2 A.13.1.1 A.13.2.1 A.14.1.3 A.14.2.2 A.14.2.3 A.14.2.4 A.6.2.1 A.6.2.2 A.9.1.2

CM-6(a) CM-7(a) CM-7(b)

PR.AC-3 PR.IP-1 PR.PT-3 PR.PT-4

SRG-OS-000250-GPOS-00093
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)  - NIST-800-53-CM-7(b)
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - sssd_ldap_start_tls
  - unknown_strategy

- name: Test for id_provider different than Active Directory (ad)
  command: grep -qzosP '[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'
    /etc/sssd/sssd.conf
  register: test_id_provider
  failed_when: false
  changed_when: false
  check_mode: false
  when:
  - '"sssd-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - sssd_ldap_start_tls
  - unknown_strategy

- name: Test for domain group
  command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
  register: test_grep_domain
  failed_when: false
  changed_when: false
  check_mode: false
  when:
  - '"sssd-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - sssd_ldap_start_tls
  - unknown_strategy

- name: Add default domain group and set ldap_id_use_start_tls in sssd configuration
    (if no domain there)
  ini_file:
    path: /etc/sssd/sssd.conf
    section: '{{ item.section }}'
    option: '{{ item.option }}'
    value: '{{ item.value }}'
    mode: 384
  with_items:
  - section: sssd
    option: domains
    value: default
  - section: domain/default
    option: ldap_id_use_start_tls
    value: 'true'
  when:
  - '"sssd-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - test_grep_domain.stdout is defined
  - test_grep_domain.stdout | length < 1
  - test_id_provider.stdout is defined
  - test_id_provider.stdout | length < 1
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - sssd_ldap_start_tls
  - unknown_strategy

- name: Set ldap_id_use_start_tls in sssd configuration
  ini_file:
    path: /etc/sssd/sssd.conf
    section: '{{ test_grep_domain.stdout | regex_replace(''\[(.*)\]'',''\1'') }}'
    option: ldap_id_use_start_tls
    value: 'true'
    mode: 384
  when:
  - '"sssd-common" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - test_grep_domain.stdout is defined
  - test_grep_domain.stdout | length > 0
  - test_id_provider.stdout is defined
  - test_id_provider.stdout | length < 1
  tags:
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - high_severity
  - low_complexity
  - medium_disruption
  - no_reboot_needed
  - sssd_ldap_start_tls
  - unknown_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q sssd-common; then

SSSD_CONF="/etc/sssd/sssd.conf"
LDAP_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*ldap_id_use_start_tls'
AD_REGEX='[[:space:]]*\[domain\/[^]]*]([^(\n)]*(\n)+)+?[[:space:]]*id_provider[[:space:]]*=[[:space:]]*((?i)ad)[[:space:]]*$'DOMAIN_REGEX="[[:space:]]*\[domain\/[^]]*]"

# Check if id_provider is not set to ad (Active Directory) which makes start_tls not applicable, note the -v option to invert the grep.
# Try to find [domain/..] and ldap_id_use_start_tls in sssd.conf, if it exists, set to 'true'
# if ldap_id_use_start_tls isn't here, add it
# if [domain/..] doesn't exist, add it here for default domain
if grep -qvzosP $AD_REGEX $SSSD_CONF; then
        if grep -qzosP $LDAP_REGEX $SSSD_CONF; then
                
                sed -i "s#ldap_id_use_start_tls[^(\n)]*#ldap_id_use_start_tls = true#" $SSSD_CONF
        elif grep -qs $DOMAIN_REGEX $SSSD_CONF; then
                sed -i "/$DOMAIN_REGEX/a ldap_id_use_start_tls = true" $SSSD_CONF
        else
                if test -f "$SSSD_CONF"; then
                        echo -e "[domain/default]\nldap_id_use_start_tls = true" >> $SSSD_CONF
                else
                        echo "Config file '$SSSD_CONF' doesnt exist, not remediating, assuming non-applicability." >&2
                fi
        fi
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure SSSD LDAP Backend to Use TLS For All Transactions

Description

Rationale

Remediation - Ansible

Remediation - Shell Script