Navigate

Check: GEN008040

VMware ESX 3 Server: GEN008040 (in version v1 r2)

Title

If the system is using LDAP for authentication or account information, the system must check that the LDAP server's certificate has not been revoked. (Cat II impact)

Discussion

LDAP can be used to provide user authentication and account information, which are vital to system security. Communication between an LDAP server and a host using LDAP requires authentication.

Check Content

Check if the system is using NSS LDAP. # grep -v '^#' /etc/nsswitch.conf | grep ldap If no lines are returned, this vulnerability is not applicable. Verify the NSS LDAP client is configured to check certificates against a certificate revocation list. # grep -i '^tls_crlcheck' /etc/ldap.conf If the setting does not exist, or the value is not all, this is a finding.

Fix Text

Edit /etc/ldap.conf and add (or set) the tls_crlcheck setting to all.

Additional Identifiers

Rule ID: SV-26945r1_rule

Vulnerability ID: V-22558

Group Title: GEN008040

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000185	The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
IA-5 (2)	Pki-Based Authentication