{"description": "Enable certification trust path for SSSD to an accepted trust anchor.", "rationale": "Without path validation, an informed trust decision by the relying party cannot be made when \npresented with any certificate not already explicitly trusted.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "certificate_verification in sssd is not configured", "ocil": "Ensure \"ca\" is enabled in \"certificate_verification\" with the following command:\n<pre>$ sudo grep certificate_verification /etc/sssd/sssd.conf</pre>.\nIf configured properly, output should look like\n<pre>\n    certificate_verification = ca_cert,ocsp\n</pre>", "oval_external_content": null, "fixtext": "Configure SSSD for PKI-based authentication. To validate certificates by constructing a certification path\nto an accepted trust anchor by checking the following configuration of the <pre>/etc/sssd/sssd.conf</pre> file.\n<pre>\n    [domain/example.com]\n    ldap_user_certificate = usercertificate;binary\n    certificate_verification = ca_cert,ocsp\n    ca_cert = /etc/ssl/certs/ca-certificates.crt\n</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[sssd]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_sssd"], "bash_conditional": null, "fixes": {}, "title": "Certificate trust path in SSSD", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/sssd/sssd_certification_path_trust_anchor/rule.yml", "template": null}