STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

If AIX is using LDAP for authentication or account information, the /etc/ldap.conf file (or equivalent) must not contain passwords.

DISA Rule

SV-215174r508663_rule

Vulnerability Number

V-215174

Group Title

SRG-OS-000073-GPOS-00041

Rule Version

AIX7-00-001007

Severity

CAT I

CCI(s)

• CCI-000196 - The information system, for password-based authentication, stores only cryptographically-protected passwords.

Weight

10

Fix Recommendation

To remove the clear-text password for "bindpwd", do the following two steps:
Edit "/etc/security/ldap/ldap.cfg" to remove the "bindpwd" line and save the change;

Re-config the LDAP client using the "mksecldap" command:
# mksecldap -c -h <LDAP_HOST:LDAP_PORT> -A <auth_type> -D <Default_Entry> -d <BASE_DN> -a <BIND_USER> -p <BIND_PASSWORD> -k <KDB_FILE> -w <KDB_PASSWORD>

Note: Depending on which version of GSKit is installed on AIX, the GSK commands that are used to manage the Key Database (KDB) have different names. The possible GSK commands are: "gsk8capicmd" (used below), "gsk8capicmd_64" and "gsk7cmd".

To use the stashed password for SSL key database (KDB), do the following two steps:
Edit "/etc/security/ldap/ldap.cfg" to remove the "ldapsslkeypwd" line and save the change;

Run the "gsk8capicmd" to create a stashed password file for the SSL KDB:
# gsk8capicmd -keydb -stashpw -db <KDB_FILE> -pw <KDB_PASSWORD>

Check Contents

Examine the LDAP configuration file "/etc/security/ldap/ldap.cfg" for possible clear-text password for "bindpwd".

From the command prompt, run the following command:
# grep ^bindpwd: /etc/security/ldap/ldap.cfg

The above command should yield the following output:
bindpwd:{DESv2}57AEE2BCED 764373462FC7B62736D9A

If the returned entry has an unencrypted password (the output line does not start with "bindpwd:{DES"), this is a finding.

Examine the LDAP configuration file "/etc/security/ldap/ldap.cfg" for using stashed password for SSL key database (KDB).

Check for "ldapsslkeypwd" in LDAP config file using the follow command:
# grep '^ldapsslkeypwd' /etc/security/ldap/ldap.cfg

If the command returned a line, this is a finding.

Vulnerability Number

V-215174

Documentable

False

Rule Version

AIX7-00-001007

Severity Override Guidance

Examine the LDAP configuration file "/etc/security/ldap/ldap.cfg" for possible clear-text password for "bindpwd".

From the command prompt, run the following command:
# grep ^bindpwd: /etc/security/ldap/ldap.cfg

The above command should yield the following output:
bindpwd:{DESv2}57AEE2BCED 764373462FC7B62736D9A

If the returned entry has an unencrypted password (the output line does not start with "bindpwd:{DES"), this is a finding.

Examine the LDAP configuration file "/etc/security/ldap/ldap.cfg" for using stashed password for SSL key database (KDB).

Check for "ldapsslkeypwd" in LDAP config file using the follow command:
# grep '^ldapsslkeypwd' /etc/security/ldap/ldap.cfg

If the command returned a line, this is a finding.

Check Content Reference

M

Target Key

4012

Comments