openldap-server-not-installed

This module has a policy file which makes sure the openldap server package is not installed on the system

Maintainer

Vratislav Podzimek

Module stats

Total Downloads: 344
Updated: Dec 30, 2021

Installation version

Version
Released on Dec 9, 2021

Tags

Installation

                    
cfbs add openldap-server-not-installed
Description
Dependencies
Comments

LDAP is a protocol often used for user authentication and as storage of user information. While packages for it are often needed on hosts so that they can query LDAP servers, the LDAP server packages are actually only needed on LDAP servers. However, it can easily happen that the server packages are installed on hosts that don't need them and in order to minimize the attack surface, the server packages should not be installed unless explicitly needed.

This module makes sure that the OpenLDAP server packages are not installed on hosts and thus also not running.

Examples

Example of a cf-agent run on a host that has the openldap-servers package installed:

[root@hub]# cf-agent -KI
    info: Successfully removed package 'openldap-servers'

Adding exceptions

If OpenLDAP server packages are really needed on some specific hosts (LDAP servers), they can be marked as such by defining the hardening_openldap_server_allowed class in either augments or CMDB.

Dependencies

comments powered by Disqus