For systems using NSS LDAP, the TLS certificate file must be owned by root.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22567	GEN008220	SV-38390r1_rule	ECLP-1	Medium

Description
The NSS LDAP service provides user mappings which are a vital component of system security. Its configuration must be protected from unauthorized modification.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2018-09-14

Details

Check Text ( C-36775r1_chk )
Determine if the system uses LDAP. If it does not, this is not applicable. # swlist \| grep LDAP OR # cat /etc/nsswitch.conf \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]*//' \| grep -v "^#" \| grep -i ldap If nothing is returned for either of the above commands, this is not applicable. If LDAP is installed, check the ownership of the LDAP cert file(s). # ls -lLa /etc/opt/ldapux/cert8.db If the owner of the file is not root or bin, this is a finding.

Check Text ( C-36775r1_chk )

Determine if the system uses LDAP. If it does not, this is not applicable.
# swlist | grep LDAP
OR
# cat /etc/nsswitch.conf | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | grep -v "^#" | grep -i ldap

If nothing is returned for either of the above commands, this is not applicable.

If LDAP is installed, check the ownership of the LDAP cert file(s).
# ls -lLa /etc/opt/ldapux/cert8.db

If the owner of the file is not root or bin, this is a finding.

Fix Text (F-32157r1_fix)
Change the ownership of the file. # chown root