|
 |
f8899d |
From f1011e329d01e857a20d8f75285ad22c38ff4033 Mon Sep 17 00:00:00 2001
|
|
|
f8899d |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
f8899d |
Date: Thu, 15 Oct 2020 09:03:33 +0200
|
|
|
f8899d |
Subject: [PATCH 1/7] add rule
|
|
|
f8899d |
|
|
|
f8899d |
---
|
|
|
f8899d |
.../use_pam_wheel_for_su/ansible/shared.yml | 12 +++++++
|
|
|
f8899d |
.../use_pam_wheel_for_su/bash/shared.sh | 8 +++++
|
|
|
f8899d |
.../use_pam_wheel_for_su/oval/shared.xml | 19 +++++++++++
|
|
|
f8899d |
.../root_logins/use_pam_wheel_for_su/rule.yml | 32 +++++++++++++++++++
|
|
|
f8899d |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
f8899d |
5 files changed, 71 insertions(+), 1 deletion(-)
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
|
f8899d |
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..d66d66200d
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
|
|
|
f8899d |
@@ -0,0 +1,12 @@
|
|
|
f8899d |
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
f8899d |
+# reboot = false
|
|
|
f8899d |
+# strategy = restrict
|
|
|
f8899d |
+# complexity = low
|
|
|
f8899d |
+# disruption = low
|
|
|
f8899d |
+
|
|
|
f8899d |
+- name: "restrict usage of su command only to members of wheel group"
|
|
|
f8899d |
+ lineinfile:
|
|
|
f8899d |
+ path: "/etc/pam.d/su"
|
|
|
f8899d |
+ line: "auth required pam_wheel.so use_uid"
|
|
|
f8899d |
+ regexp: '^[\s]*[#]*[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$'
|
|
|
f8899d |
+ state: present
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..0aec7b4361
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
|
|
|
f8899d |
@@ -0,0 +1,8 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
f8899d |
+
|
|
|
f8899d |
+if ! grep -q pam_wheel /etc/pam.d/su; then
|
|
|
f8899d |
+ sed '/^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so use_uid$/s/^#//' -i /etc/pam.d/su
|
|
|
f8899d |
+else
|
|
|
f8899d |
+ echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su
|
|
|
f8899d |
+fi
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..f84e04fa32
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml
|
|
|
f8899d |
@@ -0,0 +1,19 @@
|
|
|
f8899d |
+<def-group>
|
|
|
f8899d |
+ <definition class="compliance" id="use_pam_wheel_for_su" version="1">
|
|
|
f8899d |
+ {{{ oval_metadata("Only members of the wheel group should be able to authenticate through the su command.") }}}
|
|
|
f8899d |
+ <criteria operator="AND">
|
|
|
f8899d |
+ <criterion test_ref="test_use_pam_wheel_for_su" />
|
|
|
f8899d |
+ </criteria>
|
|
|
f8899d |
+ </definition>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/su for correct setting" id="test_use_pam_wheel_for_su" version="1">
|
|
|
f8899d |
+ <ind:object object_ref="object_use_pam_wheel_for_su" />
|
|
|
f8899d |
+ </ind:textfilecontent54_test>
|
|
|
f8899d |
+
|
|
|
f8899d |
+ <ind:textfilecontent54_object comment="check /etc/pam.d/su for correct setting" id="object_use_pam_wheel_for_su" version="1">
|
|
|
f8899d |
+ <ind:filepath>/etc/pam.d/su</ind:filepath>
|
|
|
f8899d |
+ <ind:pattern operation="pattern match">^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$</ind:pattern>
|
|
|
f8899d |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
f8899d |
+ </ind:textfilecontent54_object>
|
|
|
f8899d |
+
|
|
|
f8899d |
+</def-group>
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..260cbd3344
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
|
|
|
f8899d |
@@ -0,0 +1,32 @@
|
|
|
f8899d |
+documentation_complete: true
|
|
|
f8899d |
+
|
|
|
f8899d |
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
|
|
|
f8899d |
+
|
|
|
f8899d |
+title: 'Enforce usage of pam_wheel for su authentication'
|
|
|
f8899d |
+
|
|
|
f8899d |
+description: |-
|
|
|
f8899d |
+ To ensure that only users who are members of the <tt>wheel</tt> group can
|
|
|
f8899d |
+ run commands with altered privileges through the <tt>su</tt> command, make
|
|
|
f8899d |
+ sure that the following line exists in the file <tt>/etc/pam.d/su</tt>:
|
|
|
f8899d |
+ auth required pam_wheel.so use_uid
|
|
|
f8899d |
+
|
|
|
f8899d |
+rationale: |-
|
|
|
f8899d |
+ The <tt>su</tt> program allows to run commands with a substitute user and
|
|
|
f8899d |
+ group ID. It is commonly used to run commands as the root user. Limiting
|
|
|
f8899d |
+ access to such command is considered a good security practice.
|
|
|
f8899d |
+
|
|
|
f8899d |
+severity: medium
|
|
|
f8899d |
+
|
|
|
f8899d |
+identifiers:
|
|
|
f8899d |
+ cce@rhel8: CCE-83318-6
|
|
|
f8899d |
+
|
|
|
f8899d |
+references:
|
|
|
f8899d |
+ ospp: FMT_SMF_EXT.1.1
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil_clause: 'the line is not in the file or it is commented'
|
|
|
f8899d |
+
|
|
|
f8899d |
+ocil: |-
|
|
|
f8899d |
+ Run the following command to check if the line is present:
|
|
|
f8899d |
+ grep pam_wheel /etc/pam.d/su
|
|
|
f8899d |
+ The output should contain the following line:
|
|
|
f8899d |
+ auth required pam_wheel.so use_uid
|
|
|
f8899d |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
f8899d |
index 21b42b5eee..a76d3cb609 100644
|
|
|
f8899d |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
f8899d |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
f8899d |
@@ -2,7 +2,6 @@ CCE-83314-5
|
|
|
f8899d |
CCE-83315-2
|
|
|
f8899d |
CCE-83316-0
|
|
|
f8899d |
CCE-83317-8
|
|
|
f8899d |
-CCE-83318-6
|
|
|
f8899d |
CCE-83319-4
|
|
|
f8899d |
CCE-83320-2
|
|
|
f8899d |
CCE-83322-8
|
|
|
f8899d |
|
|
|
f8899d |
From da5fc11a838214aff87425470b909107148f25d5 Mon Sep 17 00:00:00 2001
|
|
|
f8899d |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
f8899d |
Date: Thu, 15 Oct 2020 09:03:48 +0200
|
|
|
f8899d |
Subject: [PATCH 2/7] add tests
|
|
|
f8899d |
|
|
|
f8899d |
---
|
|
|
f8899d |
.../root_logins/use_pam_wheel_for_su/tests/correct.pass.sh | 7 +++++++
|
|
|
f8899d |
.../use_pam_wheel_for_su/tests/line_commented.fail.sh | 7 +++++++
|
|
|
f8899d |
.../use_pam_wheel_for_su/tests/line_not_there.fail.sh | 4 ++++
|
|
|
f8899d |
3 files changed, 18 insertions(+)
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh
|
|
|
f8899d |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
|
|
|
f8899d |
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..233b3b11b4
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh
|
|
|
f8899d |
@@ -0,0 +1,7 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+#clean possible commented lines
|
|
|
f8899d |
+sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su
|
|
|
f8899d |
+
|
|
|
f8899d |
+#apply correct line
|
|
|
f8899d |
+echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..aa7757d2e1
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh
|
|
|
f8899d |
@@ -0,0 +1,7 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+#clean possible commented lines
|
|
|
f8899d |
+sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su
|
|
|
f8899d |
+
|
|
|
f8899d |
+#apply commented line
|
|
|
f8899d |
+echo "#auth required pam_wheel.so use_uid" >> /etc/pam.d/su
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
|
|
|
f8899d |
new file mode 100644
|
|
|
f8899d |
index 0000000000..be95c2eda9
|
|
|
f8899d |
--- /dev/null
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
|
|
|
f8899d |
@@ -0,0 +1,4 @@
|
|
|
f8899d |
+#!/bin/bash
|
|
|
f8899d |
+
|
|
|
f8899d |
+#clean possible lines
|
|
|
f8899d |
+sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su
|
|
|
f8899d |
|
|
|
f8899d |
From a4403371faeaf155a53f3e1720ecc087d7c38eb2 Mon Sep 17 00:00:00 2001
|
|
|
f8899d |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
f8899d |
Date: Thu, 15 Oct 2020 09:04:18 +0200
|
|
|
f8899d |
Subject: [PATCH 3/7] add rule into rhel8 ospp
|
|
|
f8899d |
|
|
|
f8899d |
---
|
|
|
f8899d |
rhel8/profiles/ospp.profile | 1 +
|
|
|
f8899d |
tests/data/profile_stability/rhel8/ospp.profile | 1 +
|
|
|
f8899d |
tests/data/profile_stability/rhel8/stig.profile | 1 +
|
|
|
f8899d |
3 files changed, 3 insertions(+)
|
|
|
f8899d |
|
|
|
f8899d |
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
|
|
|
f8899d |
index d5133cc58b..cbe9cc6485 100644
|
|
|
f8899d |
--- a/rhel8/profiles/ospp.profile
|
|
|
f8899d |
+++ b/rhel8/profiles/ospp.profile
|
|
|
f8899d |
@@ -222,6 +222,7 @@ selections:
|
|
|
f8899d |
- securetty_root_login_console_only
|
|
|
f8899d |
- var_password_pam_unix_remember=5
|
|
|
f8899d |
- accounts_password_pam_unix_remember
|
|
|
f8899d |
+ - use_pam_wheel_for_su
|
|
|
f8899d |
|
|
|
f8899d |
### SELinux Configuration
|
|
|
f8899d |
- var_selinux_state=enforcing
|
|
|
f8899d |
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f8899d |
index 9dcca1ea5e..2660e815e9 100644
|
|
|
f8899d |
--- a/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f8899d |
+++ b/tests/data/profile_stability/rhel8/ospp.profile
|
|
|
f8899d |
@@ -219,6 +219,7 @@ selections:
|
|
|
f8899d |
- sysctl_user_max_user_namespaces
|
|
|
f8899d |
- timer_dnf-automatic_enabled
|
|
|
f8899d |
- usbguard_allow_hid_and_hub
|
|
|
f8899d |
+- use_pam_wheel_for_su
|
|
|
f8899d |
- zipl_audit_argument
|
|
|
f8899d |
- zipl_audit_backlog_limit_argument
|
|
|
f8899d |
- zipl_bls_entries_only
|
|
|
f8899d |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
index 66c5e7d743..ad8205dcfc 100644
|
|
|
f8899d |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
f8899d |
@@ -241,6 +241,7 @@ selections:
|
|
|
f8899d |
- sysctl_user_max_user_namespaces
|
|
|
f8899d |
- timer_dnf-automatic_enabled
|
|
|
f8899d |
- usbguard_allow_hid_and_hub
|
|
|
f8899d |
+- use_pam_wheel_for_su
|
|
|
f8899d |
- var_rekey_limit_size=1G
|
|
|
f8899d |
- var_rekey_limit_time=1hour
|
|
|
f8899d |
- var_accounts_user_umask=027
|
|
|
f8899d |
|
|
|
f8899d |
From e6e3fbec1fe141ffc48c96ac6121aa11ba94ec64 Mon Sep 17 00:00:00 2001
|
|
|
f8899d |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
f8899d |
Date: Fri, 23 Oct 2020 16:32:04 +0200
|
|
|
f8899d |
Subject: [PATCH 4/7] fix remediation
|
|
|
f8899d |
|
|
|
f8899d |
---
|
|
|
f8899d |
.../root_logins/use_pam_wheel_for_su/bash/shared.sh | 7 ++++---
|
|
|
f8899d |
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
f8899d |
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
|
|
|
f8899d |
index 0aec7b4361..8e2e92f6ce 100644
|
|
|
f8899d |
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
|
|
|
f8899d |
@@ -1,8 +1,9 @@
|
|
|
f8899d |
#!/bin/bash
|
|
|
f8899d |
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
f8899d |
|
|
|
f8899d |
-if ! grep -q pam_wheel /etc/pam.d/su; then
|
|
|
f8899d |
- sed '/^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so use_uid$/s/^#//' -i /etc/pam.d/su
|
|
|
f8899d |
-else
|
|
|
f8899d |
+# uncomment the option if commented
|
|
|
f8899d |
+ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^#//' -i /etc/pam.d/su
|
|
|
f8899d |
+
|
|
|
f8899d |
+if ! grep -q '^[\s]*auth[\s]+required[\s]+pam_wheel\.so\[s]+use_uid$' /etc/pam.d/su; then
|
|
|
f8899d |
echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su
|
|
|
f8899d |
fi
|
|
|
f8899d |
|
|
|
f8899d |
From 0339398e8c0e7e29b0bb656787fe38bfbeae2b81 Mon Sep 17 00:00:00 2001
|
|
|
f8899d |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
f8899d |
Date: Fri, 30 Oct 2020 15:41:40 +0100
|
|
|
f8899d |
Subject: [PATCH 5/7] update bash remediation
|
|
|
f8899d |
|
|
|
f8899d |
do not remediate if commented version does not exist
|
|
|
f8899d |
---
|
|
|
f8899d |
.../root_logins/use_pam_wheel_for_su/bash/shared.sh | 6 +-----
|
|
|
f8899d |
1 file changed, 1 insertion(+), 5 deletions(-)
|
|
|
f8899d |
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
|
|
|
f8899d |
index 8e2e92f6ce..d001e73362 100644
|
|
|
f8899d |
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
|
|
|
f8899d |
@@ -2,8 +2,4 @@
|
|
|
f8899d |
# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
|
|
|
f8899d |
|
|
|
f8899d |
# uncomment the option if commented
|
|
|
f8899d |
- sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^#//' -i /etc/pam.d/su
|
|
|
f8899d |
-
|
|
|
f8899d |
-if ! grep -q '^[\s]*auth[\s]+required[\s]+pam_wheel\.so\[s]+use_uid$' /etc/pam.d/su; then
|
|
|
f8899d |
- echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su
|
|
|
f8899d |
-fi
|
|
|
f8899d |
+ sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su
|
|
|
f8899d |
|
|
|
f8899d |
From a0c255e8bc6755c301900d7f19a58952695ff919 Mon Sep 17 00:00:00 2001
|
|
|
f8899d |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
f8899d |
Date: Fri, 30 Oct 2020 15:42:11 +0100
|
|
|
f8899d |
Subject: [PATCH 6/7] update ansible remediation
|
|
|
f8899d |
|
|
|
f8899d |
do not remediate when commented version does not exist
|
|
|
f8899d |
---
|
|
|
f8899d |
.../root_logins/use_pam_wheel_for_su/ansible/shared.yml | 7 +++----
|
|
|
f8899d |
1 file changed, 3 insertions(+), 4 deletions(-)
|
|
|
f8899d |
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
|
|
|
f8899d |
index d66d66200d..7194be9c61 100644
|
|
|
f8899d |
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
|
|
|
f8899d |
@@ -5,8 +5,7 @@
|
|
|
f8899d |
# disruption = low
|
|
|
f8899d |
|
|
|
f8899d |
- name: "restrict usage of su command only to members of wheel group"
|
|
|
f8899d |
- lineinfile:
|
|
|
f8899d |
+ replace:
|
|
|
f8899d |
path: "/etc/pam.d/su"
|
|
|
f8899d |
- line: "auth required pam_wheel.so use_uid"
|
|
|
f8899d |
- regexp: '^[\s]*[#]*[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$'
|
|
|
f8899d |
- state: present
|
|
|
f8899d |
+ regexp: '^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$'
|
|
|
f8899d |
+ replace: "auth required pam_wheel.so use_uid"
|
|
|
f8899d |
|
|
|
f8899d |
From b170fc7c0f6d85a49f44809037a425a0f0e76fa1 Mon Sep 17 00:00:00 2001
|
|
|
f8899d |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
f8899d |
Date: Fri, 30 Oct 2020 15:42:34 +0100
|
|
|
f8899d |
Subject: [PATCH 7/7] update tests
|
|
|
f8899d |
|
|
|
f8899d |
---
|
|
|
f8899d |
.../use_pam_wheel_for_su/tests/line_not_there.fail.sh | 1 +
|
|
|
f8899d |
1 file changed, 1 insertion(+)
|
|
|
f8899d |
|
|
|
f8899d |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
|
|
|
f8899d |
index be95c2eda9..d08437501b 100644
|
|
|
f8899d |
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
|
|
|
f8899d |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
|
|
|
f8899d |
@@ -1,4 +1,5 @@
|
|
|
f8899d |
#!/bin/bash
|
|
|
f8899d |
+# remediation = none
|
|
|
f8899d |
|
|
|
f8899d |
#clean possible lines
|
|
|
f8899d |
sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su
|