← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-22573

CAT II (Medium)

If the system is using LDAP for authentication or account information, the LDAP TLS key file must have mode 0600 or less permissive.

Rule ID

SV-46041r1_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-000225

Discussion

LDAP can be used to provide user authentication and account information, which are vital to system security. The LDAP client configuration must be protected from unauthorized modification. Note: Depending on the particular implementation, group and other read permission may be necessary for unprivileged users to successfully resolve account information using LDAP. This will still be a finding, as these permissions provide users with access to system authenticators.

Check Content

Determine the key file.
# grep -i '^tls_key' /etc/ldap.conf
Check the permissions.
# ls -lL <keypath>
If the mode of the file is more permissive than 0600, this is a finding.

Fix Text

Change the mode of the file.
# chmod 0600 <keypath>