openstack/ansible-hardening
Code Issues Proposed changes

Merge "[Doc] Exceptions for LDAP SSL/TLS checks"

Browse Source
This commit is contained in:
Jenkins 2016-11-17 02:39:32 +00:00 committed by Gerrit Code Review
commit 98123ec655
3 changed files with 47 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/metadata/rhel7/RHEL-07-040180.rst
View File

@ -1,7 +1,13 @@
---
id: RHEL-07-040180
status: not implemented
tag: misc
status: exception - manual intervention
tag: auth
---
This STIG requirement is not yet implemented.
Deployers are strongly urged to utilize ``sssd`` for systems that authenticate
against LDAP or Active Directory (AD) servers.
The ldap connector for ``sssd`` connects only to LDAP servers over
encrypted connections. Review the man page for
`sssd-ldap <https://linux.die.net/man/5/sssd-ldap>`_ for more details on this
requirement.

22
doc/metadata/rhel7/RHEL-07-040181.rst
View File

@ -1,7 +1,23 @@
---
id: RHEL-07-040181
status: not implemented
tag: misc
status: exception - manual intervention
tag: auth
---
This STIG requirement is not yet implemented.
Deployers are strongly urged to utilize ``sssd`` for systems that authenticate
against LDAP or Active Directory (AD) servers.
To meet this control, deployers must ensure that ``ldap_tls_cacert`` or
``ldap_tls_cacertdir`` are set in the ``/etc/sssd/sssd.conf`` file. The
``ldap_tls_cacert`` directive specifies a single certificate while
``ldap_tls_cacertdir`` specifies a directory where ``sssd`` can find CA
certificates.
.. warning::
Use caution when adjusting these settings. If the correct CA certificates
are not already deployed to the servers that perform LDAP authentication,
their attempts to authenticate users might fail.
Consult with administrators of the LDAP system and test all changes on
a non-production system first.

22
doc/metadata/rhel7/RHEL-07-040182.rst
View File

@ -1,7 +1,23 @@
---
id: RHEL-07-040182
status: not implemented
tag: misc
status: exception - manual intervention
tag: auth
---
This STIG requirement is not yet implemented.
Deployers are strongly urged to utilize ``sssd`` for systems that authenticate
against LDAP or Active Directory (AD) servers.
To meet this control, deployers must ensure that ``ldap_tls_cacert`` or
``ldap_tls_cacertdir`` are set in the ``/etc/sssd/sssd.conf`` file. The
``ldap_tls_cacert`` directive specifies a single certificate while
``ldap_tls_cacertdir`` specifies a directory where ``sssd`` can find CA
certificates.
.. warning::
Use caution when adjusting these settings. If the correct CA certificates
are not already deployed to the servers that perform LDAP authentication,
their attempts to authenticate users might fail.
Consult with administrators of the LDAP system and test all changes on
a non-production system first.