Tree - rpms/scap-security-guide

rpms / scap-security-guide

Files

Commit: f8899dc431d93f8111ec18b6783c8e69fdb47c56
Blob Blame History Raw
From f1011e329d01e857a20d8f75285ad22c38ff4033 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 15 Oct 2020 09:03:33 +0200
Subject: [PATCH 1/7] add rule

---
 .../use_pam_wheel_for_su/ansible/shared.yml   | 12 +++++++
 .../use_pam_wheel_for_su/bash/shared.sh       |  8 +++++
 .../use_pam_wheel_for_su/oval/shared.xml      | 19 +++++++++++
 .../root_logins/use_pam_wheel_for_su/rule.yml | 32 +++++++++++++++++++
 shared/references/cce-redhat-avail.txt        |  1 -
 5 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
new file mode 100644
index 0000000000..d66d66200d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
@@ -0,0 +1,12 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "restrict usage of su command only to members of wheel group"
+  lineinfile:
+    path: "/etc/pam.d/su"
+    line: "auth             required        pam_wheel.so use_uid"
+    regexp: '^[\s]*[#]*[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$'
+    state: present
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
new file mode 100644
index 0000000000..0aec7b4361
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+
+if ! grep -q pam_wheel /etc/pam.d/su; then
+  sed '/^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so use_uid$/s/^#//' -i /etc/pam.d/su
+else
+  echo "auth             required        pam_wheel.so use_uid" >> /etc/pam.d/su
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml
new file mode 100644
index 0000000000..f84e04fa32
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml
@@ -0,0 +1,19 @@
+<def-group>
+  <definition class="compliance" id="use_pam_wheel_for_su" version="1">
+    {{{ oval_metadata("Only members of the wheel group should be able to authenticate through the su command.") }}}
+    <criteria operator="AND">
+      <criterion test_ref="test_use_pam_wheel_for_su" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/su for correct setting" id="test_use_pam_wheel_for_su" version="1">
+    <ind:object object_ref="object_use_pam_wheel_for_su" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="check /etc/pam.d/su for correct setting" id="object_use_pam_wheel_for_su" version="1">
+    <ind:filepath>/etc/pam.d/su</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
new file mode 100644
index 0000000000..260cbd3344
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+
+title: 'Enforce usage of pam_wheel for su authentication'
+
+description: |-
+    To ensure that only users who are members of the <tt>wheel</tt> group can
+    run commands with altered privileges through the <tt>su</tt> command, make
+    sure that the following line exists in the file <tt>/etc/pam.d/su</tt>:
+    <pre>auth             required        pam_wheel.so use_uid</pre>
+
+rationale: |-
+    The <tt>su</tt> program allows to run commands with a substitute user and
+    group ID. It is commonly used to run commands as the root user. Limiting
+    access to such command is considered a good security practice.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-83318-6
+
+references:
+    ospp: FMT_SMF_EXT.1.1
+
+ocil_clause: 'the line is not in the file or it is commented'
+
+ocil: |-
+    Run the following command to check if the line is present:
+    <pre>grep pam_wheel /etc/pam.d/su</pre>
+    The output should contain the following line:
+    <pre>auth             required        pam_wheel.so use_uid</pre>
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 21b42b5eee..a76d3cb609 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -2,7 +2,6 @@ CCE-83314-5
 CCE-83315-2
 CCE-83316-0
 CCE-83317-8
-CCE-83318-6
 CCE-83319-4
 CCE-83320-2
 CCE-83322-8

From da5fc11a838214aff87425470b909107148f25d5 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 15 Oct 2020 09:03:48 +0200
Subject: [PATCH 2/7] add tests

---
 .../root_logins/use_pam_wheel_for_su/tests/correct.pass.sh | 7 +++++++
 .../use_pam_wheel_for_su/tests/line_commented.fail.sh      | 7 +++++++
 .../use_pam_wheel_for_su/tests/line_not_there.fail.sh      | 4 ++++
 3 files changed, 18 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh
new file mode 100644
index 0000000000..233b3b11b4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+#clean possible commented lines
+sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su
+
+#apply correct line
+echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh
new file mode 100644
index 0000000000..aa7757d2e1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+#clean possible commented lines
+sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su
+
+#apply commented line
+echo "#auth required pam_wheel.so use_uid" >> /etc/pam.d/su
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
new file mode 100644
index 0000000000..be95c2eda9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+#clean possible lines
+sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su

From a4403371faeaf155a53f3e1720ecc087d7c38eb2 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Thu, 15 Oct 2020 09:04:18 +0200
Subject: [PATCH 3/7] add rule into rhel8 ospp

---
 rhel8/profiles/ospp.profile                     | 1 +
 tests/data/profile_stability/rhel8/ospp.profile | 1 +
 tests/data/profile_stability/rhel8/stig.profile | 1 +
 3 files changed, 3 insertions(+)

diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index d5133cc58b..cbe9cc6485 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -222,6 +222,7 @@ selections:
     - securetty_root_login_console_only
     - var_password_pam_unix_remember=5
     - accounts_password_pam_unix_remember
+    - use_pam_wheel_for_su
 
     ### SELinux Configuration
     - var_selinux_state=enforcing
diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile
index 9dcca1ea5e..2660e815e9 100644
--- a/tests/data/profile_stability/rhel8/ospp.profile
+++ b/tests/data/profile_stability/rhel8/ospp.profile
@@ -219,6 +219,7 @@ selections:
 - sysctl_user_max_user_namespaces
 - timer_dnf-automatic_enabled
 - usbguard_allow_hid_and_hub
+- use_pam_wheel_for_su
 - zipl_audit_argument
 - zipl_audit_backlog_limit_argument
 - zipl_bls_entries_only
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 66c5e7d743..ad8205dcfc 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -241,6 +241,7 @@ selections:
 - sysctl_user_max_user_namespaces
 - timer_dnf-automatic_enabled
 - usbguard_allow_hid_and_hub
+- use_pam_wheel_for_su
 - var_rekey_limit_size=1G
 - var_rekey_limit_time=1hour
 - var_accounts_user_umask=027

From e6e3fbec1fe141ffc48c96ac6121aa11ba94ec64 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 23 Oct 2020 16:32:04 +0200
Subject: [PATCH 4/7] fix remediation

---
 .../root_logins/use_pam_wheel_for_su/bash/shared.sh        | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
index 0aec7b4361..8e2e92f6ce 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
@@ -1,8 +1,9 @@
 #!/bin/bash
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
 
-if ! grep -q pam_wheel /etc/pam.d/su; then
-  sed '/^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so use_uid$/s/^#//' -i /etc/pam.d/su
-else
+# uncomment the option if commented
+  sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^#//' -i /etc/pam.d/su
+
+if ! grep -q '^[\s]*auth[\s]+required[\s]+pam_wheel\.so\[s]+use_uid$' /etc/pam.d/su; then
   echo "auth             required        pam_wheel.so use_uid" >> /etc/pam.d/su
 fi

From 0339398e8c0e7e29b0bb656787fe38bfbeae2b81 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 30 Oct 2020 15:41:40 +0100
Subject: [PATCH 5/7] update bash remediation

do not remediate if commented version does not exist
---
 .../root_logins/use_pam_wheel_for_su/bash/shared.sh         | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
index 8e2e92f6ce..d001e73362 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh
@@ -2,8 +2,4 @@
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
 
 # uncomment the option if commented
-  sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^#//' -i /etc/pam.d/su
-
-if ! grep -q '^[\s]*auth[\s]+required[\s]+pam_wheel\.so\[s]+use_uid$' /etc/pam.d/su; then
-  echo "auth             required        pam_wheel.so use_uid" >> /etc/pam.d/su
-fi
+  sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su

From a0c255e8bc6755c301900d7f19a58952695ff919 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 30 Oct 2020 15:42:11 +0100
Subject: [PATCH 6/7] update ansible remediation

do not remediate when commented version does not exist
---
 .../root_logins/use_pam_wheel_for_su/ansible/shared.yml    | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
index d66d66200d..7194be9c61 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml
@@ -5,8 +5,7 @@
 # disruption = low
 
 - name: "restrict usage of su command only to members of wheel group"
-  lineinfile:
+  replace:
     path: "/etc/pam.d/su"
-    line: "auth             required        pam_wheel.so use_uid"
-    regexp: '^[\s]*[#]*[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$'
-    state: present
+    regexp: '^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$'
+    replace: "auth             required        pam_wheel.so use_uid"

From b170fc7c0f6d85a49f44809037a425a0f0e76fa1 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Fri, 30 Oct 2020 15:42:34 +0100
Subject: [PATCH 7/7] update tests

---
 .../use_pam_wheel_for_su/tests/line_not_there.fail.sh            | 1 +
 1 file changed, 1 insertion(+)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
index be95c2eda9..d08437501b 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh
@@ -1,4 +1,5 @@
 #!/bin/bash
+# remediation = none
 
 #clean possible lines
 sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su
rpms / scap-security-guide

Source Code

Files
