Signed-off-by: Kevin Spargur <[email protected]> --- .../input/checks/ldap_client_pam_ldap_present.xml | 32 +++++++++++++ rhel6/src/input/checks/ldap_client_start_tls.xml | 32 +++++++++++++ .../input/checks/ldap_client_tls_cacertpath.xml | 48 ++++++++++++++++++++ .../src/input/checks/ldap_client_tls_checkpeer.xml | 31 ------------- .../src/input/checks/package_pam_ldap_removed.xml | 26 +++++++++++ rhel6/src/input/profiles/common.xml | 3 +- rhel6/src/input/services/ldap.xml | 48 +++++++++++++------- 7 files changed, 171 insertions(+), 49 deletions(-) create mode 100644 rhel6/src/input/checks/ldap_client_pam_ldap_present.xml create mode 100644 rhel6/src/input/checks/ldap_client_start_tls.xml create mode 100644 rhel6/src/input/checks/ldap_client_tls_cacertpath.xml delete mode 100644 rhel6/src/input/checks/ldap_client_tls_checkpeer.xml create mode 100644 rhel6/src/input/checks/package_pam_ldap_removed.xml
diff --git a/rhel6/src/input/checks/ldap_client_pam_ldap_present.xml b/rhel6/src/input/checks/ldap_client_pam_ldap_present.xml new file mode 100644 index 0000000..9b8b1ba --- /dev/null +++ b/rhel6/src/input/checks/ldap_client_pam_ldap_present.xml @@ -0,0 +1,32 @@ +<def-group> + <definition class="compliance" + id="ldap_client_pam_ldap_present" version="1"> + <metadata> + <title>Test for use of pam_ldap</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-14894-0" source="CCE" /> + <description>Check for pam_ldap.so presence.</description> + </metadata> + <criteria comment="package pam_ldap is present and used" operator="OR"> + <extend_definition comment="pam_ldap rpm installed? (note negation)" + definition_ref="package_pam_ldap_removed" negate="true"/> + <criterion comment="look for pam_ldap.so" + test_ref="test_ldap_client_pam_ldap_present" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Check if pam_ldap.so is uncommented in a file in pam.d" + id="test_ldap_client_pam_ldap_present" version="1"> + <ind:object object_ref="obj_ldap_client_pam_ldap_present" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_ldap_client_pam_ldap_present" + version="1"> + <ind:path>/etc/pam.d</ind:path> + <ind:filename operation="pattern match">.*</ind:filename> + <ind:pattern operation="pattern match">^[^#].*pam_ldap.so[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/ldap_client_start_tls.xml b/rhel6/src/input/checks/ldap_client_start_tls.xml new file mode 100644 index 0000000..d1c7803 --- /dev/null +++ b/rhel6/src/input/checks/ldap_client_start_tls.xml @@ -0,0 +1,32 @@ +<def-group> + <definition class="compliance" + id="ldap_client_start_tls" version="1"> + <metadata> + <title>Configure LDAP to Use TLS for All Transactions</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-14894-0" source="CCE" /> + <description>Require the use of TLS for ldap clients.</description> + </metadata> + <criteria comment="package pam_ldap is not present" operator="OR"> + <extend_definition comment="pam_ldap not present or not in use" + definition_ref="ldap_client_pam_ldap_present" negate="true" /> + <criterion comment="look for ssl start_tls in /etc/pam_ldap.conf" + test_ref="test_ldap_client_start_tls_ssl" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Tests the value of the ssl start_tls setting in the /etc/pam_ldap.conf file" + id="test_ldap_client_start_tls_ssl" version="1"> + <ind:object object_ref="obj_ldap_client_start_tls_ssl" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_ldap_client_start_tls_ssl" + version="1"> + <ind:path>/etc</ind:path> + <ind:filename>pam_ldap.conf</ind:filename> + <ind:pattern operation="pattern match">^[\s]*ssl[\s]+start_tls[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/ldap_client_tls_cacertpath.xml b/rhel6/src/input/checks/ldap_client_tls_cacertpath.xml new file mode 100644 index 0000000..1f91ba0 --- /dev/null +++ b/rhel6/src/input/checks/ldap_client_tls_cacertpath.xml @@ -0,0 +1,48 @@ +<def-group> + <definition class="compliance" + id="ldap_client_tls_cacertpath" version="1"> + <metadata> + <title>Configure LDAP CA Certificate Path</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-14894-0" source="CCE" /> + <description>Require the use of TLS for ldap clients.</description> + </metadata> + <criteria comment="package pam_ldap is not present" operator="OR"> + <extend_definition comment="pam_ldap not present or in use" + definition_ref="ldap_client_pam_ldap_present" negate="true" /> + <criterion comment="look for tls_cacertdir in /etc/pam_ldap.conf" + test_ref="test_ldap_client_tls_cacertdir" /> + <criterion comment="look for tls_cacertfile in /etc/pam_ldap.conf" + test_ref="test_ldap_client_tls_cacertfile" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Tests the value of the tls_cacertdir setting in the /etc/pam_ldap.conf file" + id="test_ldap_client_tls_cacertdir" version="1"> + <ind:object object_ref="obj_ldap_client_tls_cacertdir" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_ldap_client_tls_cacertdir" + version="1"> + <ind:path>/etc</ind:path> + <ind:filename>pam_ldap.conf</ind:filename> + <ind:pattern operation="pattern match">^[\s]*tls_cacertdir[\s]+.*[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Tests the value of the tls_cacertfile setting in the /etc/pam_ldap.conf file" + id="test_ldap_client_tls_cacertfile" version="1"> + <ind:object object_ref="obj_ldap_client_tls_cacertfile" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_ldap_client_tls_cacertfile" + version="1"> + <ind:path>/etc</ind:path> + <ind:filename>pam_ldap.conf</ind:filename> + <ind:pattern operation="pattern match">^[\s]*tls_cacertfile[\s]+.*[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/ldap_client_tls_checkpeer.xml b/rhel6/src/input/checks/ldap_client_tls_checkpeer.xml deleted file mode 100644 index ea42118..0000000 --- a/rhel6/src/input/checks/ldap_client_tls_checkpeer.xml +++ /dev/null @@ -1,31 +0,0 @@ -<def-group> - <definition class="compliance" - id="ldap_client_tls_checkpeer" version="1"> - <metadata> - <title>Configure LDAP to Use TLS for All Transactions</title> - <affected family="unix"> - <platform>Red Hat Enterprise Linux 6</platform> - </affected> - <reference ref_id="CCE-14894-0" source="CCE" /> - <description>Clients require LDAP servers to provide valid - certificates for SSL communications.</description> - </metadata> - <criteria> - <criterion comment="look for tls_checkpeer yess in /etc/ldap.conf" - test_ref="test_202885" /> - </criteria> - </definition> - <ind:textfilecontent54_test check="all" - check_existence="at_least_one_exists" - comment="Tests the value of the tls_checkpeer[\s]+yes setting in the /etc/ldap.conf file" - id="test_202885" version="1"> - <ind:object object_ref="obj_202885" /> - </ind:textfilecontent54_test> - <ind:textfilecontent54_object id="obj_202885" - version="1"> - <ind:path>/etc</ind:path> - <ind:filename>ldap.conf</ind:filename> - <ind:pattern operation="pattern match">^[\s]*tls_checkpeer[\s]+yes</ind:pattern> - <ind:instance datatype="int">1</ind:instance> - </ind:textfilecontent54_object> -</def-group> diff --git a/rhel6/src/input/checks/package_pam_ldap_removed.xml b/rhel6/src/input/checks/package_pam_ldap_removed.xml new file mode 100644 index 0000000..a51220a --- /dev/null +++ b/rhel6/src/input/checks/package_pam_ldap_removed.xml @@ -0,0 +1,26 @@ +<def-group> + <definition class="compliance" id="package_pam_ldap_removed" + version="1"> + <metadata> + <title>Package pam_ldap Installed</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="14881-7" source="CCE" /> + <description>The RPM package pam_ldap should be not be present unless +user authentication against LDAP is a requirement.</description> + </metadata> + <criteria> + <criterion comment="package pam_ldap is removed" + test_ref="test_package_pam_ldap_removed" /> + </criteria> + </definition> + <linux:rpminfo_test check="all" check_existence="none_exist" + id="test_package_pam_ldap_removed" version="1" + comment="package pam_ldap is removed"> + <linux:object object_ref="obj_package_pam_ldap_removed" /> + </linux:rpminfo_test> + <linux:rpminfo_object id="obj_package_pam_ldap_removed" version="1"> + <linux:name>pam_ldap</linux:name> + </linux:rpminfo_object> +</def-group> diff --git a/rhel6/src/input/profiles/common.xml b/rhel6/src/input/profiles/common.xml index ba6add5..cb6024f 100644 --- a/rhel6/src/input/profiles/common.xml +++ b/rhel6/src/input/profiles/common.xml @@ -130,7 +130,8 @@ <select idref="enable_ntpd" selected="true"/> <select idref="ntpd_specify_remote_server" selected="true"/> <select idref="postfix_network_listening" selected="true"/> -<select idref="ldap_client_tls_checkpeer" selected="true"/> +<select idref="ldap_client_start_tls" selected="true"/> +<select idref="ldap_client_tls_cacertpath" selected="true"/> <select idref="package_openldap-servers_removed" selected="true"/> <!-- acting as an NFS client is normal for many roles. these should likely be moved out of common. diff --git a/rhel6/src/input/services/ldap.xml b/rhel6/src/input/services/ldap.xml index 3e8959c..f2efc2a 100644 --- a/rhel6/src/input/services/ldap.xml +++ b/rhel6/src/input/services/ldap.xml @@ -25,25 +25,39 @@ environment.</description> LDAP client, ensure that a working LDAP server is present on the network.</warning> -<Rule id="ldap_client_tls_checkpeer"> +<Rule id="ldap_client_start_tls"> <title>LDAP Uses TLS For All Transactions</title> -<description> -Ensure a copy of the site's CA certificate has been placed in -the file <tt>/etc/pki/tls/CA/cacert.pem</tt>. -Configure LDAP to enforce TLS use and to trust certificates -signed by the site's CA. First, edit the file <tt>/etc/pam_ldap.conf</tt>, -and add or correct the following lines: -<pre>ssl start_tls -tls_checkpeer yes -tls_cacertdir /etc/pki/tls/CA -tls_cacertfile /etc/pki/tls/CA/cacert.pem</pre> -Then edit <tt>/etc/openldap/ldap.conf</tt>, and add or correct the -following lines: -<pre>TLS_CACERTDIR /etc/pki/tls/CA -TLS_CACERT /etc/pki/tls/CA/cacert.pem</pre> +<description>Configure LDAP to enforce TLS use. First, edit the file +<tt>/etc/pam_ldap.conf</tt>, and add or correct the following lines: +<pre>ssl start_tls</pre> +Then review the LDAP server and ensure TLS has been configured. +</description> +<rationale>The ssl directive specifies whether to use ssl or not. If +not specified it will default to no. It should be set to start_tls rather +than doing LDAP over SSL.</rationale> +<ref disa="776,778" /> +<ident cce="14894-0" /> +<oval id="ldap_client_start_tls" /> +</Rule> + +<Rule id="ldap_client_tls_cacertpath"> +<title>LDAP Uses TLS For All Transactions</title> +<description>Ensure a copy of the site's CA certificate has been placed in +the file <tt>/etc/pki/tls/CA/cacert.pem</tt>. Configure LDAP to enforce TLS +use and to trust certificates signed by the site's CA. First, edit the file +<tt>/etc/pam_ldap.conf</tt>, and add or correct either of the following lines: +<pre>tls_cacertdir /etc/pki/tls/CA</pre> +or +<pre>tls_cacertfile /etc/pki/tls/CA/cacert.pem</pre> +Then review the LDAP server and ensure TLS has been configured. </description> +<rationale>The tls_cacertdir or tls_cacertfile directives are required when +tls_cheekpeer is configured (which is the default for openldap versions 2.1 and +up). These directives define the path to the trust certificates signed by the +site CA.</rationale> +<ref disa="776,778" /> <ident cce="14894-0" /> -<oval id="ldap_client_tls_checkpeer" /> +<oval id="ldap_client_tls_cacertpath" /> </Rule> </Group><!--End <Group id="openldap_client"> --> @@ -58,7 +72,7 @@ securing an OpenLDAP infrastructure nonetheless. </description> <Rule id="package_openldap-servers_removed"> -<title>Install OpenLDAP Server RPM</title> +<title>Uninstall the OpenLDAP Server RPM</title> <description>The <tt>openldap-servers</tt> package should be removed if not in use. Is this machine the OpenLDAP server? If not, remove the package: <pre># yum erase openldap-servers</pre> -- 1.7.7.6 _______________________________________________ scap-security-guide mailing list [email protected] https://fedorahosted.org/mailman/listinfo/scap-security-guide
