Skip to content

Restrict access to configuration files to necessary users only.

389-CM-001 - severity: high

Field Value
Control ID 389-CM-001
Severity high
Type preventive
Owner IT Operations
Status authored
NIST 800-53 CM-5, AC-6
DISA SRG SRG-APP-000133, SRG-APP-000380

Rationale

dse.ldif is the primary on-disk representation of the server's entire cn=config tree, including replication credentials, plugin configuration, and TLS certificate paths. If the file is readable by group or world, an unprivileged local user can inspect security-relevant settings and map attack vectors without ever issuing an LDAP bind. Write access by any account other than the service principal would allow silent, offline modification of the configuration before the server next restarts, potentially injecting malicious plugin entries or disabling security controls. Enforcing 600 dirsrv:dirsrv implements the principle of least privilege at the filesystem layer, satisfying the access restriction requirements of NIST SP 800-53 CM-5 (Access Restrictions for Change) and AC-6 (Least Privilege), and is assessed by DISA SRG-APP-000133 and SRG-APP-000380.

Check

Verify that dse.ldif is owned by the dirsrv service account and is not readable by group or world.

stat -c '%a %U:%G' /etc/dirsrv/slapd-<instance>/dse.ldif

Expected: 600 dirsrv:dirsrv

Remediation

Set ownership to the dirsrv service account and restrict permissions to owner-read/write only.

chown dirsrv:dirsrv /etc/dirsrv/slapd-<instance>/dse.ldif
chmod 600 /etc/dirsrv/slapd-<instance>/dse.ldif

References

Implementation Notes

The service account name is dirsrv in packages from Red Hat, Fedora, and most distributions; verify with ps aux | grep ns-slapd if it differs in your environment. Do not remove read access for the dirsrv user - the server reads dse.ldif at startup and writes it when configuration changes are made via dsconf. Back up dse.ldif before altering permissions so you can recover if a typo breaks the service account's access. This is an OS-level control and does not require a 389DS restart to take effect.