Updates of the rule use_pam_wheel_group_for_su

controls/cis_sle12.yml

@@ -1907,7 +1907,8 @@ controls:
  - l1_workstation
  automated: partially # we check only for usage of use_uid with pam_su, not for the group
  rules:
- - use_pam_wheel_for_su
+ - use_pam_wheel_group_for_su
+ - var_pam_wheel_group_for_su=cis
 
  - id: 6.1.1
  title: Audit system file permissions (Manual)

controls/cis_sle15.yml

@@ -2102,7 +2102,8 @@ controls:
  - l1_workstation
  automated: partially # we check only for usage of use_uid with pam_su, not for the group
  rules:
- - use_pam_wheel_for_su
+ - use_pam_wheel_group_for_su
+ - var_pam_wheel_group_for_su=cis
 
  - id: 6.1.1
  title: Audit system file permissions (Manual)

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml

@@ -0,0 +1,24 @@
+# platform = multi_platform_sle,multi_platform_ubuntu
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_pam_wheel_group_for_su") }}}
+
+- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} is removed
+ group:
+ name: "{{ var_pam_wheel_group_for_su }}"
+ state: absent 
+
+- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} exist
+ group:
+ name: "{{ var_pam_wheel_group_for_su }}"
+ state: present
+
+- name: {{{ rule_title }}} - Add the group to the /etc/pam.d/su file
+ ansible.builtin.lineinfile:
+ path: "/etc/pam.d/su"
+ state: present
+ regexp: '^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid group=$'
+ line: "auth required pam_wheel.so use_uid group={{ var_pam_wheel_group_for_su }}"

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh

@@ -1,8 +1,15 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_ubuntu,multi_platform_sle
 {{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}}
 
 PAM_CONF=/etc/pam.d/su
 
+if [ $(getent group ${var_pam_wheel_group_for_su})]; then
+ # group exists
+ groupdel -f ${var_pam_wheel_group_for_su}
+fi
+groupadd -f ${var_pam_wheel_group_for_su}
+
+
 pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF})
 if [ -z "$pamstr" ]; then
  sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml

@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ubuntu2004,ubuntu2204
+prodtype: ubuntu2004,ubuntu2204,sle12,sle15
 
 title: 'Enforce Usage of pam_wheel with Group Parameter for su Authentication'
 
@@ -19,7 +19,13 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+ cce@sle12: CCE-92351-6
+ cce@sle15: CCE-92522-2
+
 references:
+ cis@sle12: '5.6'
+ cis@sle15: '5.6'
  cis@ubuntu2004: '5.6'
  cis@ubuntu2204: 5.3.7
 

products/sle12/profiles/pci-dss-4.profile

@@ -89,3 +89,6 @@ selections:
  - sshd_strong_kex=pcidss
  - sshd_approved_macs=cis_sle12
  - sysctl_fs_suid_dumpable
+ - '!use_pam_wheel_for_su'
+ - use_pam_wheel_group_for_su
+ - var_pam_wheel_group_for_su=cis

products/sle15/profiles/pci-dss-4.profile

@@ -25,3 +25,6 @@ selections:
  - '!service_ntp_enabled'
  - '!service_ntpd_enabled'
  - '!service_timesyncd_enabled'
+ - '!use_pam_wheel_for_su'
+ - use_pam_wheel_group_for_su
+ - var_pam_wheel_group_for_su=cis

shared/references/cce-sle12-avail.txt

@@ -17,7 +17,6 @@ CCE-92345-8
 CCE-92347-4
 CCE-92348-2
 CCE-92350-8
-CCE-92351-6
 CCE-92353-2
 CCE-92354-0
 CCE-92355-7

shared/references/cce-sle15-avail.txt

@@ -24,7 +24,6 @@ CCE-92516-4
 CCE-92517-2
 CCE-92519-8
 CCE-92521-4
-CCE-92522-2
 CCE-92524-8
 CCE-92525-5
 CCE-92527-1