mediumaccess-controlunverified
Ensure SSSD maps certificates to user accounts (certmap)
sssd-certmap · RHEL ≥ 8 · 1 impl
Description
When certificate/PIV authentication is used via SSSD, a [certmap/...] section must map the authenticated certificate identity to a user or group account.
Rationale
Without an identity mapping, a valid certificate cannot be tied to a specific account, breaking accountability for PKI-based logon.
Check → Remediate
Checkcommand
conf=$(ls /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 2>/dev/null) if [ -z "$conf" ]; then echo "NOT APPLICABLE: SSSD not configured (no alternate MFA in use here)" exit 0 fi if grep -hqE '^\s*\[certmap/' $conf 2>/dev/null; then echo "OK: SSSD certmap section present" exit 0 fi echo "FAIL: no [certmap/...] section in SSSD configuration" exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Add a [certmap/<domain>/<name>] section with matchrule/maprule to /etc/sssd/sssd.conf, then restart sssd.
Framework references
STIG
V-281330 / RHEL-10-701280V-258132 / RHEL-09-631015V-230355 / RHEL-08-020090
NIST 800-53
IA-5(2)
#sssd#pki#certmap#identity#stig