← Rules Catalog
mediumaccess-controlunverified

Ensure SSSD maps certificates to user accounts (certmap)

sssd-certmap · RHEL ≥ 8 · 1 impl

Description

When certificate/PIV authentication is used via SSSD, a [certmap/...] section must map the authenticated certificate identity to a user or group account.

Rationale

Without an identity mapping, a valid certificate cannot be tied to a specific account, breaking accountability for PKI-based logon.

Check → Remediate

Checkcommand
conf=$(ls /etc/sssd/sssd.conf /etc/sssd/conf.d/*.conf 2>/dev/null)
if [ -z "$conf" ]; then
  echo "NOT APPLICABLE: SSSD not configured (no alternate MFA in use here)"
  exit 0
fi
if grep -hqE '^\s*\[certmap/' $conf 2>/dev/null; then
  echo "OK: SSSD certmap section present"
  exit 0
fi
echo "FAIL: no [certmap/...] section in SSSD configuration"
exit 1
expected_exit:
0
Remediatemanual
note:
Add a [certmap/<domain>/<name>] section with matchrule/maprule to /etc/sssd/sssd.conf, then restart sssd.

Framework references

STIG

V-281330 / RHEL-10-701280V-258132 / RHEL-09-631015V-230355 / RHEL-08-020090

NIST 800-53

IA-5(2)
#sssd#pki#certmap#identity#stig