Check: GEN008020
AIX 5.3 STIG:
GEN008020
(in version v1 r3)
Title
If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate and this certificate has a valid trust path to a trusted CA. (Cat II impact)
Discussion
The NSS LDAP service provides user mappings which are a vital component of system security. Communication between an LDAP server and a host using LDAP for NSS require authentication.
Check Content
Check if the system is using LDAP authentication. #grep LDAP /etc/security/user If no lines are returned, this vulnerability is not applicable. Verify SSL is enabled. #grep '^useSSL' /etc/security/ldap/ldap.cfg If yes is not the returned value, this is a finding. Verify a server certificate is required and verified by the LDAP configuration. #grep -I '^ldapsslkeyf' /etc/security/ldap/ldap.cfg Make note of the key database file location. #gsk7cmd -cert -list CA -db <certificate keyfile.kdb> -pw <Password> Make note of the Key Label. #gsk7cmd -cert -details -showOID -db <certificate key.kdb> -pw <Password> -label <Key Label> THE IBM GSK Database should only have certificates for the client system and for the LDAP server. If more certificates are in the key database than the LDAP server and the client, this is a finding.
Fix Text
Install a certificate signed by a DoD PKI or a DoD-approved external PKI. #gsk7cmd < or > ikeyman Remove un-needed CA certificates. #gsk7cmd < or > ikeyman
Additional Identifiers
Rule ID: SV-38966r1_rule
Vulnerability ID: V-22557
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000185 |
The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |