Enable Certmap in SSSD
An XCCDF Rule
Description
SSSD should be configured to verify the certificate of the user or group. To set this up
ensure that section like certmap/testing.test/rule_name
is setup in
/etc/sssd/sssd.conf
. For example
[certmap/testing.test/rule_name] matchrule =<SAN>.*EDIPI@mil maprule = (userCertificate;binary={cert!bin}) domains = testing.test
warning alert: Warning
Automatic remediation of this control is not available, since all of the settings in
in the certmap need to be customized.
Rationale
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
- ID
- xccdf_org.ssgproject.content_rule_sssd_enable_certmap
- Severity
- Medium
- References
- Updated