Rule ID
SV-281330r1167140_rule
Version
V1R1
CCIs
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
Note: If the system administrator (SA) demonstrates the use of an approved alternate multifactor authentication method, this requirement is not applicable.
Verify RHEL 10 maps the authenticated identity to the user or group account for PKI-based authentication.
Verify the certificate of the user or group is mapped to the corresponding user or group in the "sssd.conf" file with the following command:
$ sudo find /etc/sssd/sssd.conf /etc/sssd/conf.d/ -type f -exec cat {} \;
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test
If the certmap section does not exist, ask the SA to indicate how certificates are mapped to accounts.
If there is no evidence of certificate mapping, this is a finding.Configure RHEL 10 to map the authenticated identity to the user or group account by adding or modifying the certmap section of the "/etc/sssd/sssd.conf" file based on the following example:
[certmap/testing.test/rule_name]
matchrule = .*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test
Restart the "sssd" service with the following command for the changes to take effect:
$ sudo systemctl restart sssd.service