{"description": "Configure SSSD to implement cryptography to protect the\nintegrity of LDAP remote access sessions. By setting\nthe ldap_tls_cacertdir
option in /etc/sssd/sssd.conf
\nto point to the path for the X.509 certificates used for peer authentication.\nldap_tls_cacertdir /path/to/tls/cacert
", "rationale": "Without cryptographic integrity protections, information can be altered by\nunauthorized users without detection.\n
\nCryptographic mechanisms used for\nprotecting the integrity of information include, for example, signed hash\nfunctions using asymmetric cryptography enabling distribution of the public key\nto verify the hash information while maintaining the confidentiality of the key\nused to generate the hash.", "severity": "medium", "references": {"nist": ["SC-12(3)", "CM-6(a)"], "srg": ["SRG-OS-000250-GPOS-00093"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the TLS CA cert is not configured", "ocil": "To verify the operating system implements cryptography to protect the integrity of\nremote ldap access sessions, run the following command:\n$ sudo grep ldap_tls_cacertdir /etc/sssd/sssd.conf
\nThe output should return the following with a correctly configured CA cert path:\nldap_tls_cacertdir /path/to/tls/cacert
", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "sssd-ldap", "platforms": ["sssd-ldap"], "sce_metadata": {}, "inherited_platforms": ["package[sssd]", "system_with_kernel"], "cpe_platform_names": ["sssd-ldap"], "inherited_cpe_platform_names": ["system_with_kernel", "package_sssd"], "bash_conditional": null, "fixes": {}, "title": "Configure SSSD LDAP Backend Client CA Certificate Location", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/sssd/sssd-ldap/sssd_ldap_configure_tls_ca_dir/rule.yml", "template": null}