Update require_singleuser_auth for RHEL

Don't modify /usr files they are controled by the operating system.
ComplianceAsCode · Oct 10, 2024 · b560bc1 · b560bc1
1 parent c9c05b1
commit b560bc1
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 16 deletions.
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml
@@ -4,13 +4,22 @@
 # complexity = low
 # disruption = low
 
+{{% if 'rhel' not in product %}}
 - name: Require single user mode password
  lineinfile:
  create: yes
  dest: /usr/lib/systemd/system/rescue.service
  regexp: "^#?ExecStart="
- {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "sle12", "sle15"] -%}}
+ {{% if product in ["fedora", "ol8", "ol9", "sle12", "sle15"] -%}}
  line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue"
  {{%- else -%}}
  line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
  {{%- endif %}}
+{{% else %}}
+- name: "{{{ rule_title }}} - Require single user mode password"
+ community.general.ini_file:
+ path: "/etc/systemd/system/rescue.service.d/10-oscap.conf"
+ section: "Service"
+ option: "ExecStart"
+ value: "-/usr/lib/systemd/systemd-sulogin-shell rescue"
+{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/bash/shared.sh
@@ -1,15 +1,9 @@
 # platform = multi_platform_all
 
-service_file="/usr/lib/systemd/system/rescue.service"
-
 {{% if product in ["fedora", "ol8", "ol9", "sle12", "sle15",] or 'rhel' in product -%}}
-sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue"
+{{% set sulogin="/usr/lib/systemd/systemd-sulogin-shell rescue" %}}
 {{%- else -%}}
-sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
+{{% set sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"' %}}
 {{%- endif %}}
 
-if grep "^ExecStart=.*" "$service_file" ; then
- sed -i "s%^ExecStart=.*%ExecStart=-$sulogin%" "$service_file"
-else
- echo "ExecStart=-$sulogin" >> "$service_file"
-fi
+{{{ bash_ensure_ini_config("/etc/systemd/system/rescue.service.d/10-oscap.conf", "Service", "ExecStart", sulogin) }}}
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/oval/shared.xml
@@ -5,16 +5,16 @@
  <criteria operator="AND">
  <criterion comment="Conditions are satisfied"
  test_ref="test_require_rescue_service" />
- {{%- if product not in ["ol8", "rhel8"] -%}}
+ {{%- if product not in ["ol8"] and 'rhel' not in product  -%}}
  <criterion test_ref="test_require_rescue_service_runlevel1" />
  <criterion test_ref="test_no_custom_runlevel1_target" negate="true"/>
- <criterion test_ref="test_no_custom_rescue_service" negate="true"/>
+  <criterion test_ref="test_no_custom_rescue_service" negate="true"/>
  {{%- endif -%}}
  </criteria>
  </definition>
  <ind:textfilecontent54_test check="all" check_existence="all_exist"
  comment="Tests that
- {{% if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "rhcos4", "sle12", "sle15"] -%}}
+ {{% if product in ["fedora", "ol8", "ol9", "rhcos4", "sle12", "sle15"] or 'rhel' in product -%}}
  /usr/lib/systemd/systemd-sulogin-shell
  {{%- else -%}}
  /sbin/sulogin
@@ -25,16 +25,21 @@
  <ind:object object_ref="obj_require_rescue_service" />
  </ind:textfilecontent54_test>
  <ind:textfilecontent54_object id="obj_require_rescue_service" version="1">
+ {{%- if 'rhel' in product -%}}
+ <ind:path>/etc/systemd/system/rescue.service.d</ind:path>
+ <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+ {{%- else -%}}
  <ind:filepath>/usr/lib/systemd/system/rescue.service</ind:filepath>
- {{%- if product in ["fedora", "ol8", "ol9", "rhel8", "rhel9", "rhcos4", "sle12", "sle15"] -%}}
+ {{%- endif -%}}
+ {{%- if product in ["fedora", "ol8", "ol9", "rhcos4", "sle12", "sle15"] or 'rhel' in product -%}}
  <ind:pattern operation="pattern match">^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue</ind:pattern>
  {{%- else -%}}
  <ind:pattern operation="pattern match">^ExecStart=\-/bin/sh[\s]+-c[\s]+\"(/usr)?/sbin/sulogin;[\s]+/usr/bin/systemctl[\s]+--fail[\s]+--no-block[\s]+default\"</ind:pattern>
  {{%- endif -%}}
  <ind:instance datatype="int">1</ind:instance>
  </ind:textfilecontent54_object>
 
- {{%- if product not in ["ol8", "rhel8"] -%}}
+ {{%- if product not in ["ol8"] and 'rhel' not in product -%}}
  <ind:textfilecontent54_test check="all" check_existence="all_exist"
  comment="Tests that the systemd rescue.service is in the runlevel1.target"
  id="test_require_rescue_service_runlevel1" version="1">

diff --git a/...ide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh b/...ide/system/accounts/accounts-physical/require_singleuser_auth/tests/correct_value.pass.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = Oracle Linux 8,Oracle Linux 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,multi_platform_fedora
+# platform = Oracle Linux 8,Oracle Linux 9,multi_platform_fedora,multi_platform_rhel
 
 service_file="/usr/lib/systemd/system/rescue.service"
 sulogin="/usr/lib/systemd/systemd-sulogin-shell"