Check: GEN008020
SUSE Linux Enterprise Server v11 for System z STIG:
GEN008020
(in versions v1 r12 through v1 r9)
Title
If the system is using LDAP for authentication or account information, the LDAP TLS connection must require the server provide a certificate with a valid trust path to a trusted CA. (Cat II impact)
Discussion
The NSS LDAP service provides user mappings which are a vital component of system security. Communication between an LDAP server and a host using LDAP for NSS require authentication.
Check Content
Check if the system is using NSS LDAP. # grep -v '^#' /etc/nsswitch.conf | grep ldap If no lines are returned, this vulnerability is not applicable. Verify a server certificate is required and verified by the NSS LDAP configuration. # grep -i '^tls_checkpeer' /etc/ldap.conf If no line is returned, or the value is not "yes", this is a finding.
Fix Text
Edit "/etc/ldap.conf" and add or set the "tls_checkpeer" setting to "yes".
Additional Identifiers
Rule ID: SV-46000r1_rule
Vulnerability ID: V-22557
Group Title: GEN008020
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000185 |
The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
Controls
Number | Title |
---|---|
IA-5 (2) |
Pki-Based Authentication |