Hello experts!
I've noticed SSSD configuration rules implemented without verification if SSSD package/service installed/enabled. To be added, remediation part doesn't install sssd in case it is missing on the system, thus fix doesn't work for systems with no sssd on board. Rules: - sssd_enable_pam_services - sssd_ldap_configure_tls_ca_dir - sssd_ldap_start_tls
So I have couple questions for clarification on the above: Shouldn't SSSD presence test criteria be added for mentioned rules and just mark them as passed if no SSSD observed? With regard to STIG profile, should service_sssd_enabled rule be added as a requirement?
Regards, Ilya.
Ilya,
Could you link to the specific sections please?
In my opinion, SSSD should be completely removed if not utilized and the LOCAL provider should never be configured since it allows you to effectively hide accounts from standard scanning utilities.
If you're using LDAP, it completely makes sense.
On Thu, Nov 14, 2019 at 2:12 PM Ilya Okomin ilya.okomin@oracle.com wrote:
Hello experts!
I've noticed SSSD configuration rules implemented without verification if SSSD package/service installed/enabled. To be added, remediation part doesn't install sssd in case it is missing on the system, thus fix doesn't work for systems with no sssd on board. Rules:
- sssd_enable_pam_services
- sssd_ldap_configure_tls_ca_dir
- sssd_ldap_start_tls
So I have couple questions for clarification on the above: Shouldn't SSSD presence test criteria be added for mentioned rules and just mark them as passed if no SSSD observed? With regard to STIG profile, should service_sssd_enabled rule be added as a requirement?
Regards, Ilya.
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
On Thu, Nov 14, 2019 at 1:30 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
Ilya,
Could you link to the specific sections please?
In my opinion, SSSD should be completely removed if not utilized and the LOCAL provider should never be configured since it allows you to effectively hide accounts from standard scanning utilities.
I believe that the local provider is no longer built and delivered and is considered deprecated as of 2 years ago.
If you're using LDAP, it completely makes sense.
Oh lovely :-|.
Well, it seems to have been supplanted by the 'sssd-files' provider that pretty much does the same thing albeit without the handy management commands.
On Thu, Nov 14, 2019 at 3:57 PM Gabe Alford redhatrises@gmail.com wrote:
On Thu, Nov 14, 2019 at 1:30 PM Trevor Vaughan tvaughan@onyxpoint.com wrote:
Ilya,
Could you link to the specific sections please?
In my opinion, SSSD should be completely removed if not utilized and the LOCAL provider should never be configured since it allows you to effectively hide accounts from standard scanning utilities.
I believe that the local provider is no longer built and delivered and is considered deprecated as of 2 years ago.
If you're using LDAP, it completely makes sense.
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
On Thu, Nov 14, 2019 at 12:12 PM Ilya Okomin ilya.okomin@oracle.com wrote:
Hello experts!
I've noticed SSSD configuration rules implemented without verification if SSSD package/service installed/enabled. To be added, remediation part doesn't install sssd in case it is missing on the system, thus fix doesn't work for systems with no sssd on board. Rules:
- sssd_enable_pam_services
- sssd_ldap_configure_tls_ca_dir
- sssd_ldap_start_tls
So I have couple questions for clarification on the above: Shouldn't SSSD presence test criteria be added for mentioned rules and just mark them as passed if no SSSD observed?
I believe the CPE check for sssd handles this. If SSSD is not installed, it is `not applicable`. Otherwise, it is pass/fail
With regard to STIG profile, should service_sssd_enabled rule be added as a requirement?
A rule could be added for sure if desired. However, it `service_sssd_enabled` or `package_sssd_installed` shouldn't really be a requirement.
Regards, Ilya.
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
Hello Gabe!
Thanks for your information, this entirely addresses my concern. Note: I was looking at one of the OL7 errata versions and missed that starting from v0.1.45 we have SSSD CPE supported.
Regards, Ilya.
On 11/14/2019 12:30 PM, Gabe Alford wrote:
On Thu, Nov 14, 2019 at 12:12 PM Ilya Okomin <ilya.okomin@oracle.com mailto:ilya.okomin@oracle.com> wrote:
Hello experts! I've noticed SSSD configuration rules implemented without verification if SSSD package/service installed/enabled. To be added, remediation part doesn't install sssd in case it is missing on the system, thus fix doesn't work for systems with no sssd on board. Rules: - sssd_enable_pam_services - sssd_ldap_configure_tls_ca_dir - sssd_ldap_start_tls So I have couple questions for clarification on the above: Shouldn't SSSD presence test criteria be added for mentioned rules and just mark them as passed if no SSSD observed?I believe the CPE check for sssd handles this. If SSSD is not installed, it is `not applicable`. Otherwise, it is pass/fail
With regard to STIG profile, should service_sssd_enabled rule be added as a requirement?A rule could be added for sure if desired. However, it `service_sssd_enabled` or `package_sssd_installed` shouldn't really be a requirement.
Regards, Ilya. _______________________________________________ scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org <mailto:scap-security-guide@lists.fedorahosted.org> To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org <mailto:scap-security-guide-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedorahosted.org
scap-security-guide mailing list -- scap-security-guide@lists.fedorahosted.org To unsubscribe send an email to scap-security-guide-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fedor...
scap-security-guide@lists.fedorahosted.org
-
Gabe Alford -
Ilya Okomin -
Trevor Vaughan