{"description": "The LDAP client should be configured to implement TLS for the integrity\nof all remote LDAP authentication sessions. If the <tt>id_provider</tt> is\nset to <tt>ldap</tt> or <tt>ipa</tt> in <tt>/etc/sssd/sssd.conf</tt> or any of the\n<tt>/etc/sssd/sssd.conf.d</tt> configuration files, <tt>ldap_id_use_start_tls</tt>\nmust be set to <tt>true</tt>.\n<br /><br />\nTo check if LDAP is configured to use TLS when <tt>id_provider</tt> is\nset to <tt>ldap</tt> or <tt>ipa</tt>, use the following command:\n<pre>$ sudo grep -i ldap_id_use_start_tls /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf</pre>", "rationale": "Without cryptographic integrity protections, information can be\naltered by unauthorized users without detection. The ssl directive specifies\nwhether to use TLS or not. If not specified it will default to no.\nIt should be set to start_tls rather than doing LDAP over SSL.", "severity": "high", "references": {"cis-csc": ["11", "12", "14", "15", "3", "8", "9"], "cobit5": ["APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.04", "DSS05.02", "DSS05.03", "DSS05.05", "DSS06.06"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.6.2.1", "A.6.2.2", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.AC-3", "PR.IP-1", "PR.PT-3", "PR.PT-4"], "srg": ["SRG-OS-000250-GPOS-00093"], "anssi": ["R67"]}, "control_references": {"anssi": ["R67"]}, "components": [], "identifiers": {}, "ocil_clause": "the 'ldap_id_use_start_tls' option is not set to 'true'", "ocil": "If the system is not using TLS, set the <tt>ldap_id_use_start_tls</tt> option\nin <tt>/etc/sssd/sssd.conf</tt> to <tt>true</tt>.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "sssd-ldap", "platforms": ["sssd-ldap"], "sce_metadata": {}, "inherited_platforms": ["package[sssd]", "system_with_kernel"], "cpe_platform_names": ["sssd-ldap"], "inherited_cpe_platform_names": ["package_sssd", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure SSSD LDAP Backend to Use TLS For All Transactions", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_start_tls/rule.yml", "template": null}