If the system is using LDAP for authentication or account information, the system must verify the LDAP server's certificate has not been revoked.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22558	GEN008040	SV-38382r1_rule	DCNR-1	Medium

Description
LDAP can be used to provide user authentication and account information, which are vital to system security. Communication between an LDAP server and a host using LDAP requires authentication.

STIG	Date
HP-UX 11.23 Security Technical Implementation Guide	2012-05-25

Details

Check Text ( C-36763r1_chk )
Determine if the system uses LDAP. If it does not, this is not applicable. # swlist \| grep LDAP OR # cat /etc/nsswitch.conf \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]//' \| grep -v "^#" \| grep -i ldap If no lines are returned for either of the above commands, this vulnerability is not applicable. Verify the LDAP client is configured to check certificates against a certificate revocation list. # cat /etc/ldap.conf \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]//' \| grep -v "^#" \| \ grep -i "^tls_crlcheck" If the setting does not exist, or the value is not all, this is a finding.

Check Text ( C-36763r1_chk )

Determine if the system uses LDAP. If it does not, this is not applicable.

# swlist | grep LDAP
OR
# cat /etc/nsswitch.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -i ldap

If no lines are returned for either of the above commands, this vulnerability is not applicable.

Verify the LDAP client is configured to check certificates against a certificate revocation list.
# cat /etc/ldap.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | \
grep -i "^tls_crlcheck"

If the setting does not exist, or the value is not all, this is a finding.

Fix Text (F-32146r1_fix)
Edit /etc/ldap.conf and add or set the tls_crlcheck setting to all.