From: kspargur <kspargur(a)kspargur.csb>
---
.../ldap_server_config_certificate_usage.xml | 79 ++++++++++++++++++++
.../checks/ldap_server_config_olcsecurity.xml | 37 ---------
.../ldap_server_config_olcsecurity_simple_bind.xml | 32 ++++++++
.../checks/ldap_server_config_olcsecurity_tls.xml | 32 ++++++++
4 files changed, 143 insertions(+), 37 deletions(-)
create mode 100644 rhel6/src/input/checks/ldap_server_config_certificate_usage.xml
delete mode 100644 rhel6/src/input/checks/ldap_server_config_olcsecurity.xml
create mode 100644 rhel6/src/input/checks/ldap_server_config_olcsecurity_simple_bind.xml
create mode 100644 rhel6/src/input/checks/ldap_server_config_olcsecurity_tls.xml
diff --git a/rhel6/src/input/checks/ldap_server_config_certificate_usage.xml b/rhel6/src/input/checks/ldap_server_config_certificate_usage.xml
new file mode 100644
index 0000000..13f69cb
--- /dev/null
+++ b/rhel6/src/input/checks/ldap_server_config_certificate_usage.xml
@@ -0,0 +1,79 @@
+<def-group>
+ <definition class="compliance"
+ id="ldap_server_config_certificate_usage" version="1">
+ <metadata>
+ <title>LDAP Server Should Use Strong Encryption</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <reference ref_id="TODO:CCE" source="CCE" />
+ <description>If installed, LDAP server should be configured use strong certificate based encryption using a CA Cert, Private Key, and Public Cert.</description>
+ </metadata>
+ <criteria comment="If installed, LDAP server should be configured to use strong encryption"
+ operator="AND">
+ <extend_definition comment="openldap server should only be present if it fulfills an operational requirement"
+ definition_ref="package_openldap-servers_installed" />
+ <criterion test_ref="test_ldap_server_config_certificate_usage_ca" />
+ <criterion test_ref="test_ldap_server_config_certificate_usage_cert" />
+ <criterion test_ref="test_ldap_server_config_certificate_usage_key" />
+ </criteria>
+ </definition>
+
+
+ <ind:textfilecontent54_test check="all"
+ check_existence="all_exist"
+ comment="Tests the value of the ^[\s]*olcTLSCACertificateFile[\s]*:[\s]*(.*)$ expression in the /etc/openldap/slapd.d/cn=config/olcDatabase*bdb.ldif file"
+ id="test_ldap_server_config_certificate_usage_ca" version="1">
+ <ind:object object_ref="obj_ldap_server_config_certificate_usage_ca" />
+ <ind:state state_ref="state_ldap_server_config_certificate_usage_ca" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_state id="state_ldap_server_config_certificate_usage_ca"
+ version="1">
+ <ind:subexpression operation="equals">/etc/pki/tls/CA/cacert.pem</ind:subexpression>
+ </ind:textfilecontent54_state>
+ <ind:textfilecontent54_object id="obj_ldap_server_config_certificate_usage_ca"
+ version="1">
+ <ind:path>/etc/openldap/slapd.d/cn=config</ind:path>
+ <ind:filename operation="pattern match">olcDatabase.*bdb.ldif</ind:filename>
+ <ind:pattern operation="pattern match">^[\s]*olcTLSCACertificateFile[\s]*:[\s]*(.*)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all"
+ check_existence="all_exist"
+ comment="Tests the value of the ^[\s]*olcTLSCertificateFile[\s]*:[\s]*(.*)$ expression in the /etc/openldap/slapd.d/cn=config/olcDatabase*bdb.ldif file"
+ id="test_ldap_server_config_certificate_usage_cert" version="1">
+ <ind:object object_ref="obj_ldap_server_config_certificate_usage_cert" />
+ <ind:state state_ref="state_ldap_server_config_certificate_usage_cert" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_state id="state_ldap_server_config_certificate_usage_cert"
+ version="1">
+ <ind:subexpression operation="equals">/etc/pki/tls/ldap/servercert.pem</ind:subexpression>
+ </ind:textfilecontent54_state>
+ <ind:textfilecontent54_object id="obj_ldap_server_config_certificate_usage_cert"
+ version="1">
+ <ind:path>/etc/openldap/slapd.d/cn=config</ind:path>
+ <ind:filename operation="pattern match">olcDatabase.*bdb.ldif</ind:filename>
+ <ind:pattern operation="pattern match">^[\s]*olcTLSCertificateFile[\s]*:[\s]*(.*)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all"
+ check_existence="all_exist"
+ comment="Tests the value of the ^[\s]*olcTLSCertificateKeyFile[\s]*:[\s]*(.*)$ expression in the /etc/openldap/slapd.d/cn=config/olcDatabase*bdb.ldif file"
+ id="test_ldap_server_config_certificate_usage_key" version="1">
+ <ind:object object_ref="obj_ldap_server_config_certificate_usage_key" />
+ <ind:state state_ref="state_ldap_server_config_certificate_usage_key" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_state id="state_ldap_server_config_certificate_usage_key"
+ version="1">
+ <ind:subexpression operation="equals">/etc/pki/tls/ldap/serverkey.pem</ind:subexpression>
+ </ind:textfilecontent54_state>
+ <ind:textfilecontent54_object id="obj_ldap_server_config_certificate_usage_key"
+ version="1">
+ <ind:path>/etc/openldap/slapd.d/cn=config</ind:path>
+ <ind:filename operation="pattern match">olcDatabase.*bdb.ldif</ind:filename>
+ <ind:pattern operation="pattern match">^[\s]*olcTLSCertificateKeyFile[\s]*:[\s]*(.*)$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/rhel6/src/input/checks/ldap_server_config_olcsecurity.xml b/rhel6/src/input/checks/ldap_server_config_olcsecurity.xml
deleted file mode 100644
index e4bbe30..0000000
--- a/rhel6/src/input/checks/ldap_server_config_olcsecurity.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<def-group>
- <definition class="compliance"
- id="ldap_server_config_olcsecurity" version="1">
- <metadata>
- <title>LDAP Server Should Use TLS</title>
- <affected family="unix">
- <platform>Red Hat Enterprise Linux 6</platform>
- </affected>
- <reference ref_id="TODO:CCE" source="CCE" />
- <description>If installed, LDAP server should use TLS.</description>
- </metadata>
- <criteria comment="If installed, LDAP server should be configured to use strong encryption"
- operator="AND">
- <extend_definition comment="openldap server should only be present if it fulfills an operational requirement"
- definition_ref="package_openldap-servers_installed" />
- <criterion test_ref="test_20141" />
- </criteria>
- </definition>
- <ind:textfilecontent54_test check="all"
- check_existence="all_exist"
- comment="Tests the value of the ^[\s]*olcSecurity[\s]*:[\s]*(.*)$ expression in the /etc/openldap/slapd.d/cn=config/olcDatabase*bdb.ldif file"
- id="test_20141" version="1">
- <ind:object object_ref="obj_20141" />
- <ind:state state_ref="state_20141" />
- </ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20141"
- version="1">
- <ind:subexpression operation="equals">tls=128</ind:subexpression>
- </ind:textfilecontent54_state>
- <ind:textfilecontent54_object id="obj_20141"
- version="1">
- <ind:path>/etc/openldap/slapd.d/cn=config</ind:path>
- <ind:filename operation="pattern match">olcDatabase.*bdb.ldif</ind:filename>
- <ind:pattern operation="pattern match">^[\s]*olcSecurity[\s]*:[\s]*(.*)$</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
-</def-group>
diff --git a/rhel6/src/input/checks/ldap_server_config_olcsecurity_simple_bind.xml b/rhel6/src/input/checks/ldap_server_config_olcsecurity_simple_bind.xml
new file mode 100644
index 0000000..19bc8b7
--- /dev/null
+++ b/rhel6/src/input/checks/ldap_server_config_olcsecurity_simple_bind.xml
@@ -0,0 +1,32 @@
+<def-group>
+ <definition class="compliance"
+ id="ldap_server_config_olcsecurity_simple_bind" version="1">
+ <metadata>
+ <title>LDAP Server Should Require Protected Binds</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <reference ref_id="TODO:CCE" source="CCE" />
+ <description>If installed, LDAP server should require secure binds.</description>
+ </metadata>
+ <criteria comment="If installed, LDAP server should be configured to use strong encryption"
+ operator="AND">
+ <extend_definition comment="openldap server should only be present if it fulfills an operational requirement"
+ definition_ref="package_openldap-servers_installed" />
+ <criterion test_ref="test_ldap_server_config_olcsecurity_simple_bind" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all"
+ check_existence="all_exist"
+ comment="Tests the value of the ^[\s]*olcSecurity[\s]*:[\s]*.*simple_bind=128.* expression in the /etc/openldap/slapd.d/cn=config/olcDatabase*bdb.ldif file"
+ id="test_ldap_server_config_olcsecurity_simple_bind" version="1">
+ <ind:object object_ref="obj_ldap_server_config_olcsecurity_simple_bind" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_ldap_server_config_olcsecurity_simple_bind"
+ version="1">
+ <ind:path>/etc/openldap/slapd.d/cn=config</ind:path>
+ <ind:filename operation="pattern match">olcDatabase.*bdb.ldif</ind:filename>
+ <ind:pattern operation="pattern match">^[\s]*olcSecurity[\s]*:[\s]*\.*simple_bind=128.*</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
diff --git a/rhel6/src/input/checks/ldap_server_config_olcsecurity_tls.xml b/rhel6/src/input/checks/ldap_server_config_olcsecurity_tls.xml
new file mode 100644
index 0000000..99a422d
--- /dev/null
+++ b/rhel6/src/input/checks/ldap_server_config_olcsecurity_tls.xml
@@ -0,0 +1,32 @@
+<def-group>
+ <definition class="compliance"
+ id="ldap_server_config_olcsecurity_tls" version="1">
+ <metadata>
+ <title>LDAP Server Should Use TLS</title>
+ <affected family="unix">
+ <platform>Red Hat Enterprise Linux 6</platform>
+ </affected>
+ <reference ref_id="TODO:CCE" source="CCE" />
+ <description>If installed, LDAP server should use TLS.</description>
+ </metadata>
+ <criteria comment="If installed, LDAP server should be configured to use strong encryption"
+ operator="AND">
+ <extend_definition comment="openldap server should only be present if it fulfills an operational requirement"
+ definition_ref="package_openldap-servers_installed" />
+ <criterion test_ref="test_ldap_server_config_olcsecurity_tls" />
+ </criteria>
+ </definition>
+ <ind:textfilecontent54_test check="all"
+ check_existence="all_exist"
+ comment="Tests the value of the ^[\s]*olcSecurity[\s]*:[\s]*.*tls=128.* expression in the /etc/openldap/slapd.d/cn=config/olcDatabase*bdb.ldif file"
+ id="test_ldap_server_config_olcsecurity_tls" version="1">
+ <ind:object object_ref="obj_ldap_server_config_olcsecurity_tls" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="obj_ldap_server_config_olcsecurity_tls"
+ version="1">
+ <ind:path>/etc/openldap/slapd.d/cn=config</ind:path>
+ <ind:filename operation="pattern match">olcDatabase.*bdb.ldif</ind:filename>
+ <ind:pattern operation="pattern match">^[\s]*olcSecurity[\s]*:[\s]*\.*tls=128.*</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+</def-group>
--
1.7.7.6