STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021:

The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications.

DISA Rule

SV-204582r603261_rule

Vulnerability Number

V-204582

Group Title

SRG-OS-000250-GPOS-00093

Rule Version

RHEL-07-040190

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions.

Add or modify the following line in "/etc/sssd/sssd.conf":

ldap_tls_reqcert = demand

Check Contents

If LDAP is not being utilized, this requirement is Not Applicable.

Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.

To determine if LDAP is being used for authentication, use the following command:

# systemctl status sssd.service
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago

If the "sssd.service" is "active", then LDAP is being used.

Determine the "id_provider" the LDAP is currently using:

# grep -i "id_provider" /etc/sssd/sssd.conf

id_provider = ad

If "id_provider" is set to "ad", this is Not Applicable.

Verify the sssd service is configured to require the use of certificates:

# grep -i tls_reqcert /etc/sssd/sssd.conf
ldap_tls_reqcert = demand

If the "ldap_tls_reqcert" setting is missing, commented out, or does not exist, this is a finding.

If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.

Vulnerability Number

V-204582

Documentable

False

Rule Version

RHEL-07-040190

Severity Override Guidance

If LDAP is not being utilized, this requirement is Not Applicable.

Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions.

To determine if LDAP is being used for authentication, use the following command:

# systemctl status sssd.service
sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-06-27 10:58:11 EST; 1h 50min ago

If the "sssd.service" is "active", then LDAP is being used.

Determine the "id_provider" the LDAP is currently using:

# grep -i "id_provider" /etc/sssd/sssd.conf

id_provider = ad

If "id_provider" is set to "ad", this is Not Applicable.

Verify the sssd service is configured to require the use of certificates:

# grep -i tls_reqcert /etc/sssd/sssd.conf
ldap_tls_reqcert = demand

If the "ldap_tls_reqcert" setting is missing, commented out, or does not exist, this is a finding.

If the "ldap_tls_reqcert" setting is not set to "demand" or "hard", this is a finding.

Check Content Reference

M

Target Key

2899

Comments