Check: GEN008040
HP-UX 11.23 STIG:
GEN008040
(in version v1 r8)
Title
If the system is using LDAP for authentication or account information, the system must verify the LDAP server's certificate has not been revoked. (Cat II impact)
Discussion
LDAP can be used to provide user authentication and account information, which are vital to system security. Communication between an LDAP server and a host using LDAP requires authentication.
Check Content
Determine if the system uses LDAP. If it does not, this is not applicable. # swlist | grep LDAP OR # cat /etc/nsswitch.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -i ldap If no lines are returned for either of the above commands, this vulnerability is not applicable. Verify the LDAP client is configured to check certificates against a certificate revocation list. # cat /etc/ldap.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | \ grep -i "^tls_crlcheck" If the setting does not exist, or the value is not all, this is a finding.
Fix Text
Edit /etc/ldap.conf and add or set the tls_crlcheck setting to all.
Additional Identifiers
Rule ID: SV-38382r1_rule
Vulnerability ID: V-22558
Group Title: GEN008040
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000185 |
The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |