Merge pull request #13403 from alanmcanonical/UBTU-24-400370

dodys · web-flow · commit 3d10ad51db9d · 2025-05-01T08:17:50.000-03:00
[Ubuntu]: Implement rule UBTU-24-400370
diff --git a/components/sssd.yml b/components/sssd.yml
@@ -18,6 +18,7 @@ rules:
 - sssd_enable_certmap
 - sssd_enable_pam_services
 - sssd_enable_smartcards
+- sssd_enable_user_cert
 - sssd_has_trust_anchor
 - sssd_ldap_configure_tls_ca
 - sssd_ldap_configure_tls_ca_dir
diff --git a/controls/stig_ubuntu2404.yml b/controls/stig_ubuntu2404.yml
@@ -855,8 +855,9 @@ controls:
       account for PKI-based authentication.
     levels:
       - high
-    related_rules: []
-    status: planned
+    rules:
+      - sssd_enable_user_cert
+    status: automated
 
   - id: UBTU-24-400375
     title: Ubuntu 24.04 LTS, for PKI-based authentication, Privileged Access Management
diff --git a/linux_os/guide/services/sssd/sssd_enable_user_cert/oval/shared.xml b/linux_os/guide/services/sssd/sssd_enable_user_cert/oval/shared.xml
@@ -0,0 +1,26 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+           {{{ oval_metadata("SSSD should be configured to map the certificate to
+            correct user or group") }}}
+        <criteria>
+            <criterion comment="check value of ldap_user_certificate in sssd configuration"
+                       test_ref="test_{{{rule_id}}}" />
+        </criteria>
+    </definition>
+
+    <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="test the value of
+        ldap_user_certificate in sssd configuration" id="test_{{{rule_id}}}" version="1">
+        <ind:object object_ref="obj_{{{rule_id}}}" />
+        <ind:state state_ref="state_{{{rule_id}}}" />
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_object id="obj_{{{rule_id}}}" version="1">
+        <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
+        <ind:pattern operation="pattern match">^[\s]*\[[^\n\[\]]+\](?:[^\n\[]*\n+)+?[\s]*ldap_user_certificate\s*=\s*([\w;]+)$</ind:pattern>
+        <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+
+    <ind:textfilecontent54_state comment="value of ldap_user_certificate" id="state_{{{rule_id}}}" version="1">
+        <ind:subexpression operation="equals">userCertificate;binary</ind:subexpression>
+    </ind:textfilecontent54_state>
+</def-group>
diff --git a/linux_os/guide/services/sssd/sssd_enable_user_cert/rule.yml b/linux_os/guide/services/sssd/sssd_enable_user_cert/rule.yml
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+
+title: 'Enable Certificates Mapping in SSSD'
+
+description: |-
+   SSSD needs to be set up to link the authenticated identity to the user or group account
+   for PKI-based authentication. To implement this, confirm that the /etc/sssd/sssd.conf
+   file contains the following line
+   <pre>
+   ldap_user_certificate=userCertificate;binary
+   </pre>
+
+rationale: |-
+   Without mapping the certificate used to authenticate to the user account, the ability to
+   determine the identity of the individual user or group will not be available for forensic
+   analysis.
+
+severity: medium
+
+platform: package[sssd]
diff --git a/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/commented.fail.sh b/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/commented.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# remediation = none
+# packages = sssd
+
+CONF="/etc/sssd/sssd.conf"
+echo -e "[domain/LDAP]\n#ldap_user_certificate = userCertificate;binary" > "$CONF"
diff --git a/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/correct_value.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# remediation = none
+# packages = sssd
+
+CONF="/etc/sssd/sssd.conf"
+echo -e "[domain/LDAP]\nldap_user_certificate = userCertificate;binary" > "$CONF"
diff --git a/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/multiple_in_section_and_correct_value.pass.sh b/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/multiple_in_section_and_correct_value.pass.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+# remediation = none
+# packages = sssd
+
+CONF="/etc/sssd/sssd.conf"
+cat << EOF > "$CONF"
+[sssd]
+domains = example.com,example2,example3
+services = nss, pam
+ldap_user_certificate = userCertificate.;binary
+certificate_verification = ocsp_dgst=sha1
+
+[domain/example.com]
+id_provider = ldap
+ldap_uri = ldap://ldap.example.com
+ldap_search_base = dc=example,dc=com
+ldap_user_certificate = userCertificate;binary
+certificate_verification = ocsp_dgst=sha1
+
+[domain/example2]
+id_provider = ldap
+ldap_uri = ldap://ldap.example2.com
+ldap_search_base = dc=example2,dc=com
+certificate_verification = ocsp_dgst=sha256
+
+[domain/example3]
+id_provider = ldap
+ldap_uri = ldap://ldap.example3.com
+ldap_search_base = dc=example3,dc=com
+ldap_user_certificate = userCertificate;binary
+EOF
diff --git a/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/nonexistent_file.fail.sh b/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/nonexistent_file.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# remediation = none
+# packages = sssd
+
+CONF="/etc/sssd/sssd.conf"
+rm -f "$CONF"
diff --git a/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/wrong_value.fail.sh b/linux_os/guide/services/sssd/sssd_enable_user_cert/tests/wrong_value.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# remediation = none
+# packages = sssd
+
+CONF="/etc/sssd/sssd.conf"
+echo -e "[domain/LDAP]\nldap_user_certificate = default" > "$CONF"
