Modification of the rule ensure_pam_wheel_group_empty

ComplianceAsCode · Jun 29, 2023 · a6b6843 · a6b6843
1 parent 9a11550
commit a6b6843
Show file tree

Hide file tree

Showing 11 changed files with 30 additions and 22 deletions.
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
@@ -1907,6 +1907,7 @@ controls:
  - l1_workstation
  automated: partially # we check only for usage of use_uid with pam_su, not for the group
  rules:
+ - ensure_pam_wheel_group_empty
  - use_pam_wheel_group_for_su
  - var_pam_wheel_group_for_su=cis
 

diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
@@ -2102,6 +2102,7 @@ controls:
  - l1_workstation
  automated: partially # we check only for usage of use_uid with pam_su, not for the group
  rules:
+ - ensure_pam_wheel_group_empty
  - use_pam_wheel_group_for_su
  - var_pam_wheel_group_for_su=cis
 

diff --git a/...ccounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml b/...ccounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml
@@ -0,0 +1,17 @@
+# platform = multi_platform_sle,multi_platform_ubuntu
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_pam_wheel_group_for_su") }}}
+
+- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} is removed
+ group:
+ name: "{{ var_pam_wheel_group_for_su }}"
+ state: absent 
+
+- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} exist
+ group:
+ name: "{{ var_pam_wheel_group_for_su }}"
+ state: present
diff --git a/...em/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh b/...em/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_ubuntu
 
 {{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}}
 

diff --git a/...e/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml b/...e/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ubuntu2004,ubuntu2204
+prodtype: sle12,sle15,ubuntu2004,ubuntu2204
 
 title: 'Ensure the Group Used by pam_wheel Module Exists on System and is Empty'
 
@@ -17,7 +17,13 @@ rationale: |-
 
 severity: medium
 
+identifiers:
+ cce@sle12: CCE-92353-2
+ cce@sle15: CCE-92528-9
+
 references:
+ cis@sle12: '5.6'
+ cis@sle15: '5.6'
  cis@ubuntu2004: '5.6'
  cis@ubuntu2204: 5.3.7
 

diff --git a/.../accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml b/.../accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml
@@ -6,16 +6,6 @@
 
 {{{ ansible_instantiate_variables("var_pam_wheel_group_for_su") }}}
 
-- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} is removed
- group:
- name: "{{ var_pam_wheel_group_for_su }}"
- state: absent 
-
-- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} exist
- group:
- name: "{{ var_pam_wheel_group_for_su }}"
- state: present
-
 - name: {{{ rule_title }}} - Add the group to the /etc/pam.d/su file
  ansible.builtin.lineinfile:
  path: "/etc/pam.d/su"

diff --git a/...stem/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh b/...stem/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh
@@ -1,15 +1,8 @@
-# platform = multi_platform_ubuntu,multi_platform_sle
+# platform = multi_platform_sle,multi_platform_ubuntu
 {{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}}
 
 PAM_CONF=/etc/pam.d/su
 
-if [ "$(getent group ${var_pam_wheel_group_for_su})" ]; then
- # group exists
- groupdel -f ${var_pam_wheel_group_for_su}
-fi
-groupadd -f ${var_pam_wheel_group_for_su}
-
-
 pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF})
 if [ -z "$pamstr" ]; then
  sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line

diff --git a/products/sle12/profiles/pci-dss-4.profile b/products/sle12/profiles/pci-dss-4.profile
@@ -21,6 +21,7 @@ selections:
  - disable_host_auth
  - disable_prelink
  - disable_users_coredumps
+ - ensure_pam_wheel_group_empty
  - file_at_deny_not_exist
  - file_cron_deny_not_exist
  - file_groupowner_at_allow

diff --git a/products/sle15/profiles/pci-dss-4.profile b/products/sle15/profiles/pci-dss-4.profile
@@ -13,6 +13,7 @@ description: |-
 
 selections:
  - pcidss_4:all:base
+ - ensure_pam_wheel_group_empty
  - sshd_strong_kex=pcidss
  - sshd_approved_macs=cis_sle15
  - sshd_approved_ciphers=cis_sle15 

diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt
@@ -16,7 +16,6 @@ CCE-92345-8
 CCE-92347-4
 CCE-92348-2
 CCE-92350-8
-CCE-92353-2
 CCE-92354-0
 CCE-92355-7
 CCE-92357-3

diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt
@@ -26,7 +26,6 @@ CCE-92521-4
 CCE-92524-8
 CCE-92525-5
 CCE-92527-1
-CCE-92528-9
 CCE-92530-5
 CCE-92532-1
 CCE-92533-9