Navigate

Check: GEN008040

SUSE Linux Enterprise Server v11 for System z STIG: GEN008040 (in versions v1 r12 through v1 r9)

Title

If the system is using LDAP for authentication or account information, the system must verify the LDAP servers certificate has not been revoked. (Cat II impact)

Discussion

LDAP can be used to provide user authentication and account information, which are vital to system security. Communication between an LDAP server and a host using LDAP requires authentication.

Check Content

Check if the system is using NSS LDAP. # grep -v '^#' /etc/nsswitch.conf | grep ldap If no lines are returned, this vulnerability is not applicable. Verify the NSS LDAP client is configured to check certificates against a certificate revocation list. # grep -i '^tls_crlcheck' /etc/ldap.conf If the setting does not exist, or the value is not "all", this is a finding.

Fix Text

Edit "/etc/ldap.conf" and add or set the "tls_crlcheck" setting to "all".

Additional Identifiers

Rule ID: SV-46285r1_rule

Vulnerability ID: V-22558

Group Title: GEN008040

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000185	The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5 (2)	Pki-Based Authentication