Ilya,
Could you link to the specific sections please?
In my opinion, SSSD should be completely removed if not utilized and the
LOCAL provider should never be configured since it allows you to
effectively hide accounts from standard scanning utilities.
If you're using LDAP, it completely makes sense.
On Thu, Nov 14, 2019 at 2:12 PM Ilya Okomin <ilya.okomin(a)oracle.com> wrote:
Hello experts!
I've noticed SSSD configuration rules implemented without verification
if SSSD package/service installed/enabled. To be added, remediation part
doesn't install sssd in case it is missing on the system, thus fix
doesn't work for systems with no sssd on board.
Rules:
- sssd_enable_pam_services
- sssd_ldap_configure_tls_ca_dir
- sssd_ldap_start_tls
So I have couple questions for clarification on the above:
Shouldn't SSSD presence test criteria be added for mentioned rules and
just mark them as passed if no SSSD observed?
With regard to STIG profile, should service_sssd_enabled rule be added
as a requirement?
Regards,
Ilya.
_______________________________________________
scap-security-guide mailing list --
scap-security-guide(a)lists.fedorahosted.org
To unsubscribe send an email to
scap-security-guide-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/scap-security-guide@lists.fe...
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --