Check: AIX7-00-001045
IBM AIX 7.x STIG:
AIX7-00-001045
(in versions v3 r1 through v1 r1)
Title
IF LDAP is used, AIX LDAP client must use SSL to authenticate with LDAP server. (Cat I impact)
Discussion
While LDAP client's authentication type is ldap_auth (server-side authentication), the client sends password to the server in clear text for authentication. SSL must be used in this case.
Check Content
Run the following command to check if "authtype" is "ldap_auth": # grep -iE "^authtype:[[:blank:]]*ldap_auth" /etc/security/ldap/ldap.cfg The above command should yield the following output: authtype:ldap_auth Run the following command to check if SSL is not used in the "/etc/security/ldap/ldap.cfg" file: # grep -iE "^useSSL:[[:blank:]]*yes" /etc/security/ldap/ldap.cfg The above command should yield the following output: useSSL:yes If the first command displays "authtype:ldap_auth" but the second command does not display "useSSL:yes", this is a finding.
Fix Text
Edit the "/etc/security/ldap/ldap.cfg" file to have the following line: useSSL:yes Configure the LDAP server and LDAP client to use the SSL according to AIX LDAP documentation. Restart the client daemon: # restart-secldapclntd
Additional Identifiers
Rule ID: SV-215204r987796_rule
Vulnerability ID: V-215204
Group Title: SRG-OS-000074-GPOS-00042
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000197 |
For password-based authentication, transmit passwords only over cryptographically-protected channels. |
Controls
Number | Title |
---|---|
IA-5(1) |
Password-based Authentication |