Detections
Analytics
GEN008050 - The /etc/ldap.conf file (or equivalent) must not contain passwords - 'ldapsslkeypwd: is not unencrypted'
Information
The authentication of automated LDAP connections between systems must not use passwords since more secure methods are available, such as PKI and Kerberos. Additionally, the storage of unencrypted passwords on the system is not permitted.Solution
Remove any passwords from LDAP configuration files.The bindpw (bind password) can be encrypted with the mksecldap command.
#mksecldap
Stash the SSL key database file with the gsk7cmd or ikeyman commands.
#gsk7cmd < or > ikeyman
Comment out the ldapsslpwd line to use stashed password. The password stash file must reside in the same directory as the SSL key database, and must have the same name as the key database, but with an extension of .sth instead of .kdb.
See Also
http://iasecontent.disa.mil/stigs/zip/U_STIG_Library_2015_07.zip
Item Details
Audit Name: DISA AIX 5.3 STIG v1r2
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-13, CAT|II, CCI|CCI-000196, Rule-ID|SV-38968r1_rule, STIG-ID|GEN008050, Vuln-ID|V-24384
Plugin: Unix
Control ID: 18b3dd7d3d8e9d626ea6e3216ba27970d80acc32530bfda5837fb91112e1105f