Merge pull request ComplianceAsCode#11476 from Mab879/sssd_include_dr…

…op_in Update Select SSSD Rules for RHEL 7 STIG Update
sig-bsi-grundschutz · Jan 25, 2024 · 1016ad3 · 1016ad3
2 parents 1c4be7e + 02bdaff
commit 1016ad3
Show file tree

Hide file tree

Showing 12 changed files with 33 additions and 4 deletions.
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca/rule.yml
@@ -43,4 +43,8 @@ ocil: |-
     The output should return the following with a correctly configured CA cert path:
     <pre>ldap_tls_cacert /path/to/tls/ca.cert</pre>
 
+warnings:
+    - general:
+        A remediation is not provided for this rule as each system has unique requirements.
+
 platform: sssd-ldap
diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml
@@ -32,7 +32,6 @@ references:
     nist: SC-12(3),CM-6(a)
     srg: SRG-OS-000250-GPOS-00093
     stigid@ol7: OL07-00-040200
-    stigid@rhel7: RHEL-07-040200
 
 ocil_clause: 'the TLS CA cert is not configured'
 

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/oval/shared.xml
@@ -14,7 +14,7 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_sssd_ldap_tls_reqcert" version="1">
-    <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
+    <ind:filepath operation="pattern match">^\/etc\/sssd\/(sssd.conf|conf\.d\/.+\.conf)$</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_tls_reqcert[ \t]*=[ \t]*((?i)demand)[ \t]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>

diff --git a/...p/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh b/...p/sssd_ldap_configure_tls_reqcert/tests/ad_id_provider_and_reqcert_never.notapplicable.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
 
 . $SHARED/setup_config_files.sh
 setup_correct_sssd_config

diff --git a/...guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh b/...guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value.pass.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
 
 . $SHARED/setup_config_files.sh
 setup_correct_sssd_config
diff --git a/...ervices/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value_dropin.pass.sh b/...ervices/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/correct_value_dropin.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
+
+sed -i '/ldap_tls_reqcert/d' /etc/sssd/sssd.conf
+
+echo '[domain/default]' >> /etc/sssd/conf.d/cac.conf
+echo 'ldap_tls_reqcert = demand' >> /etc/sssd/conf.d/cac.conf
+systemctl enable sssd
diff --git a/...sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh b/...sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/id_provider_is_set_to_ad.notapplicable.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
 
 . $SHARED/setup_config_files.sh
 setup_correct_sssd_config

diff --git a/...ssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh b/...ssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_id_provider_and_reqcert_never.fail.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
 
 . $SHARED/setup_config_files.sh
 setup_correct_sssd_config

diff --git a/...s/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh b/...s/sssd/sssd-ldap/sssd_ldap_configure_tls_reqcert/tests/ldap_tls_reqcert_not_there.fail.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
 
 . $SHARED/setup_config_files.sh
 setup_correct_sssd_config

diff --git a/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml b/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/oval/shared.xml
@@ -13,7 +13,7 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_use_starttls_sssd_conf" version="1">
-    <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
+    <ind:filepath operation="pattern match">^\/etc\/sssd\/(sssd.conf|conf\.d\/.+\.conf)$</ind:filepath>
     <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*ldap_id_use_start_tls[ \t]*=[ \t]*((?i)true)[ \t]*$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>

diff --git a/...x_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value_dropin.pass.sh b/...x_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/tests/correct_value_dropin.pass.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# packages = /usr/lib/systemd/system/sssd.service
+
+. $SHARED/setup_config_files.sh
+setup_correct_sssd_config
+
+sed -i '/ldap_id_use_start_tls/d' /etc/sssd/sssd.conf
+
+echo '[domain/default]' >> /etc/sssd/conf.d/cac.conf
+echo 'ldap_id_use_start_tls = True' >> /etc/sssd/conf.d/cac.conf
+systemctl enable sssd
diff --git a/products/rhel7/profiles/stig.profile b/products/rhel7/profiles/stig.profile
@@ -259,7 +259,6 @@ selections:
     - sshd_enable_warning_banner
     - sssd_ldap_start_tls
     - sssd_ldap_start_tls.severity=medium
-    - sssd_ldap_configure_tls_ca_dir
     - sssd_ldap_configure_tls_ca
     - sssd_ldap_configure_tls_reqcert
     - sysctl_kernel_randomize_va_space