Some Secure Configuration Manager UNIX user checks report positives on systems using NIS, NIS+, or LDAP (NETIQKB72838)

  • 7772838
  • 25-Feb-2011
  • 03-Mar-2011

Environment

NIS

Secure Configuration Manager

NetIQ 5.6 Security Agent for UNIX

NetIQ 7.1 UNIX Agent

Situation

When I run user authentication and security checks in Secure Configuration Manager, I receive positives for systems using NIS, NIS+, or LDAP authentication.

Resolution

On NIS+ and LDAP systems

The current workaround for this is to validate the use of NIS on the UNIX systems via the "Use of NIS" check under the UNIX>System checks.
The listed risk of "Use of NIS" is:

  • "If NIS is used, a compromise of the NIS server can result in a compromise of the host."

The statement above holds true in this scenario; The UNIX machines which have NIS+ enabled for authentication need to have their specified NIS+ server strictly examined to ensure the authentication compliance of all connected systems.

The positive risk match of user authentication security checks on systems using strictly NIS+ or LDAP for authentication are valid given the situation above.

Cause

Legacy NIS doesn't provide the same featureset as local passwords, NIS+, and LDAP.  Legacy NIS doesn't have the language to remotely express minimal and maximum password length, minimum password complexity, or password ageing and expirations. (these are determined based on the authentication limitations and password policies of each local UNIX host, for example the password length is limited to eight characters if DES password encryption is used)

 

As of Feburary 2011, there is a known issue with systems running strictly the legacy NIS for authentication.

User password policy checks will incorrectly return positives risk matches on systems using strictly legacy NIS for authentication. If the user policy checks detect non-local authentication in use, a positive risk will be statically set.  As legacy NIS uses the local system password policy and only stores credentials remotely, the check should validate some local policies when legacy NIS is in use.

NetIQ Engineering is aware of this issue and are working towards a fix.

Additional Information

Formerly known as NETIQKB72838

NetIQ Technical Support can provide additional information if needed.


Feedback service temporarily unavailable. For content questions or problems, please contact Support.