Check: GEN008020
HP-UX 11.31 STIG:
GEN008020
(in versions v1 r19 through v1 r13)
Title
If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate and this certificate has a valid trust path to a trusted CA. (Cat II impact)
Discussion
The NSS LDAP service provides user mappings which are a vital component of system security. Communication between an LDAP server and a host using LDAP for NSS require authentication.
Check Content
Determine if the system uses LDAP. If it does not, this is not applicable. # swlist | grep LDAP OR # cat /etc/nsswitch.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -i ldap If no lines are returned for either of the above commands, LDAP is not installed and this is not applicable. If the LDAP product is installed: # cat /etc/opt/ldapux/ldapux_client.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -i peer_cert_policy If /etc/opt/ldapux/ldapux_client.conf setting is peer_cert_policy=WEAK, this is a finding.
Fix Text
Edit /etc/opt/ldapux/ldapux_client.conf and set # Perform the CERT check peer_cert_policy=CERT OR # Perform the CERT check PLUS peer_cert_policy=CNCERT
Additional Identifiers
Rule ID: SV-38381r1_rule
Vulnerability ID: V-22557
Group Title: GEN008020
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000185 |
The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |