Ilya, Could you link to the specific sections please?
In my opinion, SSSD should be completely removed if not utilized and the LOCAL provider should never be configured since it allows you to effectively hide accounts from standard scanning utilities. If you're using LDAP, it completely makes sense. On Thu, Nov 14, 2019 at 2:12 PM Ilya Okomin <[email protected]> wrote: > Hello experts! > > I've noticed SSSD configuration rules implemented without verification > if SSSD package/service installed/enabled. To be added, remediation part > doesn't install sssd in case it is missing on the system, thus fix > doesn't work for systems with no sssd on board. > Rules: > - sssd_enable_pam_services > - sssd_ldap_configure_tls_ca_dir > - sssd_ldap_start_tls > > So I have couple questions for clarification on the above: > Shouldn't SSSD presence test criteria be added for mentioned rules and > just mark them as passed if no SSSD observed? > With regard to STIG profile, should service_sssd_enabled rule be added > as a requirement? > > Regards, > Ilya. > > _______________________________________________ > scap-security-guide mailing list -- > [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
