From f1011e329d01e857a20d8f75285ad22c38ff4033 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 15 Oct 2020 09:03:33 +0200 Subject: [PATCH 1/7] add rule --- .../use_pam_wheel_for_su/ansible/shared.yml | 12 +++++++ .../use_pam_wheel_for_su/bash/shared.sh | 8 +++++ .../use_pam_wheel_for_su/oval/shared.xml | 19 +++++++++++ .../root_logins/use_pam_wheel_for_su/rule.yml | 32 +++++++++++++++++++ shared/references/cce-redhat-avail.txt | 1 - 5 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml new file mode 100644 index 0000000000..d66d66200d --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml @@ -0,0 +1,12 @@ +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: "restrict usage of su command only to members of wheel group" + lineinfile: + path: "/etc/pam.d/su" + line: "auth required pam_wheel.so use_uid" + regexp: '^[\s]*[#]*[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$' + state: present diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh new file mode 100644 index 0000000000..0aec7b4361 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv + +if ! grep -q pam_wheel /etc/pam.d/su; then + sed '/^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so use_uid$/s/^#//' -i /etc/pam.d/su +else + echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su +fi diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml new file mode 100644 index 0000000000..f84e04fa32 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml @@ -0,0 +1,19 @@ + + + {{{ oval_metadata("Only members of the wheel group should be able to authenticate through the su command.") }}} + + + + + + + + + + + /etc/pam.d/su + ^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$ + 1 + + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml new file mode 100644 index 0000000000..260cbd3344 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml @@ -0,0 +1,32 @@ +documentation_complete: true + +prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4 + +title: 'Enforce usage of pam_wheel for su authentication' + +description: |- + To ensure that only users who are members of the wheel group can + run commands with altered privileges through the su command, make + sure that the following line exists in the file /etc/pam.d/su: + 
auth             required        pam_wheel.so use_uid
+ +rationale: |- + The su program allows to run commands with a substitute user and + group ID. It is commonly used to run commands as the root user. Limiting + access to such command is considered a good security practice. + +severity: medium + +identifiers: + cce@rhel8: CCE-83318-6 + +references: + ospp: FMT_SMF_EXT.1.1 + +ocil_clause: 'the line is not in the file or it is commented' + +ocil: |- + Run the following command to check if the line is present: + 
grep pam_wheel /etc/pam.d/su
+ The output should contain the following line: + 
auth             required        pam_wheel.so use_uid
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 21b42b5eee..a76d3cb609 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -2,7 +2,6 @@ CCE-83314-5 CCE-83315-2 CCE-83316-0 CCE-83317-8 -CCE-83318-6 CCE-83319-4 CCE-83320-2 CCE-83322-8 From da5fc11a838214aff87425470b909107148f25d5 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 15 Oct 2020 09:03:48 +0200 Subject: [PATCH 2/7] add tests --- .../root_logins/use_pam_wheel_for_su/tests/correct.pass.sh | 7 +++++++ .../use_pam_wheel_for_su/tests/line_commented.fail.sh | 7 +++++++ .../use_pam_wheel_for_su/tests/line_not_there.fail.sh | 4 ++++ 3 files changed, 18 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh new file mode 100644 index 0000000000..233b3b11b4 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +#clean possible commented lines +sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su + +#apply correct line +echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh new file mode 100644 index 0000000000..aa7757d2e1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +#clean possible commented lines +sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su + +#apply commented line +echo "#auth required pam_wheel.so use_uid" >> /etc/pam.d/su diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh new file mode 100644 index 0000000000..be95c2eda9 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +#clean possible lines +sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su From a4403371faeaf155a53f3e1720ecc087d7c38eb2 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 15 Oct 2020 09:04:18 +0200 Subject: [PATCH 3/7] add rule into rhel8 ospp --- rhel8/profiles/ospp.profile | 1 + tests/data/profile_stability/rhel8/ospp.profile | 1 + tests/data/profile_stability/rhel8/stig.profile | 1 + 3 files changed, 3 insertions(+) diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile index d5133cc58b..cbe9cc6485 100644 --- a/rhel8/profiles/ospp.profile +++ b/rhel8/profiles/ospp.profile @@ -222,6 +222,7 @@ selections: - securetty_root_login_console_only - var_password_pam_unix_remember=5 - accounts_password_pam_unix_remember + - use_pam_wheel_for_su ### SELinux Configuration - var_selinux_state=enforcing diff --git a/tests/data/profile_stability/rhel8/ospp.profile b/tests/data/profile_stability/rhel8/ospp.profile index 9dcca1ea5e..2660e815e9 100644 --- a/tests/data/profile_stability/rhel8/ospp.profile +++ b/tests/data/profile_stability/rhel8/ospp.profile @@ -219,6 +219,7 @@ selections: - sysctl_user_max_user_namespaces - timer_dnf-automatic_enabled - usbguard_allow_hid_and_hub +- use_pam_wheel_for_su - zipl_audit_argument - zipl_audit_backlog_limit_argument - zipl_bls_entries_only diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 66c5e7d743..ad8205dcfc 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -241,6 +241,7 @@ selections: - sysctl_user_max_user_namespaces - timer_dnf-automatic_enabled - usbguard_allow_hid_and_hub +- use_pam_wheel_for_su - var_rekey_limit_size=1G - var_rekey_limit_time=1hour - var_accounts_user_umask=027 From e6e3fbec1fe141ffc48c96ac6121aa11ba94ec64 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 23 Oct 2020 16:32:04 +0200 Subject: [PATCH 4/7] fix remediation --- .../root_logins/use_pam_wheel_for_su/bash/shared.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh index 0aec7b4361..8e2e92f6ce 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh @@ -1,8 +1,9 @@ #!/bin/bash # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv -if ! grep -q pam_wheel /etc/pam.d/su; then - sed '/^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so use_uid$/s/^#//' -i /etc/pam.d/su -else +# uncomment the option if commented + sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^#//' -i /etc/pam.d/su + +if ! grep -q '^[\s]*auth[\s]+required[\s]+pam_wheel\.so\[s]+use_uid$' /etc/pam.d/su; then echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su fi From 0339398e8c0e7e29b0bb656787fe38bfbeae2b81 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 30 Oct 2020 15:41:40 +0100 Subject: [PATCH 5/7] update bash remediation do not remediate if commented version does not exist --- .../root_logins/use_pam_wheel_for_su/bash/shared.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh index 8e2e92f6ce..d001e73362 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh @@ -2,8 +2,4 @@ # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv # uncomment the option if commented - sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^#//' -i /etc/pam.d/su - -if ! grep -q '^[\s]*auth[\s]+required[\s]+pam_wheel\.so\[s]+use_uid$' /etc/pam.d/su; then - echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su -fi + sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su From a0c255e8bc6755c301900d7f19a58952695ff919 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 30 Oct 2020 15:42:11 +0100 Subject: [PATCH 6/7] update ansible remediation do not remediate when commented version does not exist --- .../root_logins/use_pam_wheel_for_su/ansible/shared.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml index d66d66200d..7194be9c61 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml @@ -5,8 +5,7 @@ # disruption = low - name: "restrict usage of su command only to members of wheel group" - lineinfile: + replace: path: "/etc/pam.d/su" - line: "auth required pam_wheel.so use_uid" - regexp: '^[\s]*[#]*[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$' - state: present + regexp: '^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$' + replace: "auth required pam_wheel.so use_uid" From b170fc7c0f6d85a49f44809037a425a0f0e76fa1 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Fri, 30 Oct 2020 15:42:34 +0100 Subject: [PATCH 7/7] update tests --- .../use_pam_wheel_for_su/tests/line_not_there.fail.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh index be95c2eda9..d08437501b 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh @@ -1,4 +1,5 @@ #!/bin/bash +# remediation = none #clean possible lines sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su