0

We are a RedHat only shop. No Windows machines. All of our hosts authenticate with ldaps (636).
Recently, there was a CVE about a Samba issue with Active Directory. CVE 2020-1472
We have absolutely no need at all for Active Directory connectivity. When we install the sssd package, it has a dependency of sssd-ad (for active directory support).

Is there a way to remove the dependency on active directory support from sssd? I don't want to install anything that I don't need.

Our vulnerability scanned is showing this as a finding. The STIG clearly states that no action is required if there is no AD controller on our system. Unfortunatley, our Security 'Manager' majored in Bikini's and Frisbee's, doesn't understand that we really don't have a problem, and is insisting that we patch or remove the package. Some of our systems are still running RH 7.6 (even RH 7.3!). The upgrades have been delayed because of higher priority stuff. Upgrading the samba packages have several dependencies and I am not sure what adverse impacts the upgrade may have.

Scottie H
  • 227
  • 2
  • 10
  • 2
    This sounds like a political issue instead of a technology issue. – ewwhite Jan 28 '21 at 22:41
  • Partially. Technical issue is how do I remove SAMBA and still keep SSSD. Political issue is the mitigation of the current CVE. WE are working on a new software release and have decided to only install what we need, instead of installing everything. So, the technology issue still stands. How can I get rid of it? – Scottie H Jan 28 '21 at 23:27
  • I mean...`rpm -e --nodeps sssd-ad`, but that's a terrible idea and it seems easier just to...not configure an AD backend in your `sssd.conf`. Which you're not. – larsks Jan 29 '21 at 03:54
  • 1
    Or grab the [rpm sources](http://ftp.redhat.com/pub/redhat/linux/enterprise/7Server/en/os/SRPMS/sssd-1.15.2-50.el7_4.13.src.rpm), remove the dependency for `sssd-ad` from the `sssd` package, rebuild the rpm, and install it. Congratulations, now you're a package maintainer and it's your job to keep the package up-to-date with respect to Red Hat security updates. – larsks Jan 29 '21 at 03:59

1 Answers1

2

Red Hat's sssd package exists only to require all the sub packages. So, don't install the meta package. Remove samba packages with yum, which will remove sssd-ad. Ensure specific packages necessary are installed, possibly sssd-common sssd-clients sssd-ldap. Test your auth works.

However, you cannot be compliant without fundamentals like security updates. Basic system administration, but certainly staying up to date is on STIG checklists as well. I suspect someone is parsing a list of CVEs as an inflexible checklist. Working those findings and lots of other tasks is leading your team to ignore the tedious but important task of maintaining software.

RHEL 7.5 Extended Update Support has ended, assuming you subscribed to it in the first place. Your RHEL 7.3 boxes are definitely behind on updates. More than three years behind at this point, which is a decent amount of technical debt to defer.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34