Secure Configuration Manager
NetIQ 5.6 Security Agent for UNIX
NetIQ 7.1 UNIX Agent
On NIS+ and LDAP systems
The current workaround for this is to validate the use of NIS on the UNIX systems via the "Use of NIS" check under the UNIX>System checks.
The listed risk of "Use of NIS" is:
- "If NIS is used, a compromise of the NIS server can result in a compromise of the host."
The statement above holds true in this scenario; The UNIX machines which have NIS+ enabled for authentication need to have their specified NIS+ server strictly examined to ensure the authentication compliance of all connected systems.
The positive risk match of user authentication security checks on systems using strictly NIS+ or LDAP for authentication are valid given the situation above.
Legacy NIS doesn't provide the same featureset as local passwords, NIS+, and LDAP. Legacy NIS doesn't have the language to remotely express minimal and maximum password length, minimum password complexity, or password ageing and expirations. (these are determined based on the authentication limitations and password policies of each local UNIX host, for example the password length is limited to eight characters if DES password encryption is used)
As of Feburary 2011, there is a known issue with systems running strictly the legacy NIS for authentication.
User password policy checks will incorrectly return positives risk matches on systems using strictly legacy NIS for authentication. If the user policy checks detect non-local authentication in use, a positive risk will be statically set. As legacy NIS uses the local system password policy and only stores credentials remotely, the check should validate some local policies when legacy NIS is in use.
NetIQ Engineering is aware of this issue and are working towards a fix.
NetIQ Technical Support can provide additional information if needed.