STIG Mode breaks 'administrators' and 'users' groups

Description

After enabling SIMP's STIG Mode, the 'administrators' and 'users' groups defined in OpenLDAP fail to resolve their group numbers. This is because enabling STIG Mode raises the minimum gid (and uid) to 1000, while the administrators gid is 700 and the users gid is 100. This causes users who are members of the administrators group not to be able to perform administrator functions, such as running sudo commands.

attempted to resolve this by decreasing the sssd minimum gid to 1, which is ineffective in STIG Mode to allow the group to resolve and administrators to run sudo commands.

Note, the 'users' group appears to resolve because there is another local users group defined in /etc/group with a gid of 100, matching the OpenLDAP value for 'users'. Removing that local group reveals the issue.

Steps to reproduce:

  • Before or after enabling SIMP STIG Mode, add user to OpenLDAP 'administrators' group

  • Enable SIMP STIG mode (disa_stig)

  • Test administrator's group membership:

  • Note gid '700' is in the list, yet unresolved

  • Log in as user and issue any sudo command, which will fail

Workaround:

  • Before or after enabling SIMP STIG mode (disa_stig), change the gid of the 'administrators' group id in OpenLDAP to something greater than 1000

  • Stop the sssd service

  • Remove the sssd LDAP cache:

  • Start the sssd service again

Acceptance Criteria

After STIG Mode is enabled, user accounts that are members of the 'administrators' group in OpenLDAP are able to successfully execute sudo commands

Labels

None

Epic Link

None

Story Points

None

Affects versions

Priority

Highest
Configure