From b2871d18032eb187b3c86607265fed5d3dd16c4e Mon Sep 17 00:00:00 2001 From: rchikov Date: Wed, 14 Jun 2023 10:44:14 +0200 Subject: [PATCH 1/5] Updates of the rule use_pam_wheel_group_for_su --- controls/cis_sle12.yml | 3 ++- controls/cis_sle15.yml | 3 ++- .../ansible/shared.yml | 24 +++++++++++++++++++ .../use_pam_wheel_group_for_su/bash/shared.sh | 9 ++++++- .../use_pam_wheel_group_for_su/rule.yml | 8 ++++++- products/sle12/profiles/pci-dss-4.profile | 3 +++ products/sle15/profiles/pci-dss-4.profile | 3 +++ shared/references/cce-sle12-avail.txt | 1 - shared/references/cce-sle15-avail.txt | 1 - 9 files changed, 49 insertions(+), 6 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml index 8b0cca8a4b9..b024dac6c2e 100644 --- a/controls/cis_sle12.yml +++ b/controls/cis_sle12.yml @@ -1907,7 +1907,8 @@ controls: - l1_workstation automated: partially # we check only for usage of use_uid with pam_su, not for the group rules: - - use_pam_wheel_for_su + - use_pam_wheel_group_for_su + - var_pam_wheel_group_for_su=cis - id: 6.1.1 title: Audit system file permissions (Manual) diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml index 5ffd7cd12e9..59ed5fabe60 100644 --- a/controls/cis_sle15.yml +++ b/controls/cis_sle15.yml @@ -2102,7 +2102,8 @@ controls: - l1_workstation automated: partially # we check only for usage of use_uid with pam_su, not for the group rules: - - use_pam_wheel_for_su + - use_pam_wheel_group_for_su + - var_pam_wheel_group_for_su=cis - id: 6.1.1 title: Audit system file permissions (Manual) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml new file mode 100644 index 00000000000..972cc899b9c --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml @@ -0,0 +1,24 @@ +# platform = multi_platform_sle,multi_platform_ubuntu +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +{{{ ansible_instantiate_variables("var_pam_wheel_group_for_su") }}} + +- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} is removed + group: + name: "{{ var_pam_wheel_group_for_su }}" + state: absent + +- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} exist + group: + name: "{{ var_pam_wheel_group_for_su }}" + state: present + +- name: {{{ rule_title }}} - Add the group to the /etc/pam.d/su file + ansible.builtin.lineinfile: + path: "/etc/pam.d/su" + state: present + regexp: '^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid group=$' + line: "auth required pam_wheel.so use_uid group={{ var_pam_wheel_group_for_su }}" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh index bca903cb981..1a4fb89e1d6 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh @@ -1,8 +1,15 @@ -# platform = multi_platform_ubuntu +# platform = multi_platform_ubuntu,multi_platform_sle {{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}} PAM_CONF=/etc/pam.d/su +if [ $(getent group ${var_pam_wheel_group_for_su})]; then + # group exists + groupdel -f ${var_pam_wheel_group_for_su} +fi +groupadd -f ${var_pam_wheel_group_for_su} + + pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF}) if [ -z "$pamstr" ]; then sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml index fa8d04ddc51..1f6c4848455 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ubuntu2004,ubuntu2204 +prodtype: ubuntu2004,ubuntu2204,sle12,sle15 title: 'Enforce Usage of pam_wheel with Group Parameter for su Authentication' @@ -19,7 +19,13 @@ rationale: |- severity: medium +identifiers: + cce@sle12: CCE-92351-6 + cce@sle15: CCE-92522-2 + references: + cis@sle12: '5.6' + cis@sle15: '5.6' cis@ubuntu2004: '5.6' cis@ubuntu2204: 5.3.7 diff --git a/products/sle12/profiles/pci-dss-4.profile b/products/sle12/profiles/pci-dss-4.profile index 61add617ae9..7475bc9efac 100644 --- a/products/sle12/profiles/pci-dss-4.profile +++ b/products/sle12/profiles/pci-dss-4.profile @@ -90,3 +90,6 @@ selections: - sshd_strong_kex=pcidss - sshd_approved_macs=cis_sle12 - sysctl_fs_suid_dumpable + - '!use_pam_wheel_for_su' + - use_pam_wheel_group_for_su + - var_pam_wheel_group_for_su=cis diff --git a/products/sle15/profiles/pci-dss-4.profile b/products/sle15/profiles/pci-dss-4.profile index 26f731d6d33..5165d80a8dc 100644 --- a/products/sle15/profiles/pci-dss-4.profile +++ b/products/sle15/profiles/pci-dss-4.profile @@ -26,3 +26,6 @@ selections: - '!service_ntpd_enabled' - '!service_timesyncd_enabled' - '!package_libreswan_installed' + - '!use_pam_wheel_for_su' + - use_pam_wheel_group_for_su + - var_pam_wheel_group_for_su=cis diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt index 355c3e6c375..43f3bd76dc9 100644 --- a/shared/references/cce-sle12-avail.txt +++ b/shared/references/cce-sle12-avail.txt @@ -16,7 +16,6 @@ CCE-92345-8 CCE-92347-4 CCE-92348-2 CCE-92350-8 -CCE-92351-6 CCE-92353-2 CCE-92354-0 CCE-92355-7 diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt index 4844b8b1091..cba50845398 100644 --- a/shared/references/cce-sle15-avail.txt +++ b/shared/references/cce-sle15-avail.txt @@ -23,7 +23,6 @@ CCE-92514-9 CCE-92516-4 CCE-92517-2 CCE-92521-4 -CCE-92522-2 CCE-92524-8 CCE-92525-5 CCE-92527-1 From f6ce92c56bf9f93aaa42c4c567de706e276275cc Mon Sep 17 00:00:00 2001 From: rchikov Date: Tue, 20 Jun 2023 08:12:09 +0200 Subject: [PATCH 2/5] A small correction in bash part of the rule --- .../root_logins/use_pam_wheel_group_for_su/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh index 1a4fb89e1d6..50440f62cb8 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh @@ -3,7 +3,7 @@ PAM_CONF=/etc/pam.d/su -if [ $(getent group ${var_pam_wheel_group_for_su})]; then +if [ $(getent group ${var_pam_wheel_group_for_su}) ]; then # group exists groupdel -f ${var_pam_wheel_group_for_su} fi From b3e29adb7f441c5aa728e539081dcc965acf1af9 Mon Sep 17 00:00:00 2001 From: Rumen <77793453+rumch-se@users.noreply.github.com> Date: Fri, 23 Jun 2023 16:06:19 +0200 Subject: [PATCH 3/5] Update rule.yml Update order of prodtypes --- .../root_logins/use_pam_wheel_group_for_su/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml index 1f6c4848455..41d84df8e8a 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ubuntu2004,ubuntu2204,sle12,sle15 +prodtype: sle12,sle15,ubuntu2004,ubuntu2204 title: 'Enforce Usage of pam_wheel with Group Parameter for su Authentication' From 9a11550d144ca852c93bc8ebbe88008005a8ad30 Mon Sep 17 00:00:00 2001 From: rchikov Date: Wed, 28 Jun 2023 09:02:51 +0200 Subject: [PATCH 4/5] Small correction in bash part --- .../root_logins/use_pam_wheel_group_for_su/bash/shared.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh index 50440f62cb8..3f8b6cf94fc 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh @@ -3,7 +3,7 @@ PAM_CONF=/etc/pam.d/su -if [ $(getent group ${var_pam_wheel_group_for_su}) ]; then +if [ "$(getent group ${var_pam_wheel_group_for_su})" ]; then # group exists groupdel -f ${var_pam_wheel_group_for_su} fi From a6b6843c1eb8b91bc43e533ac879ca4e3685407f Mon Sep 17 00:00:00 2001 From: rchikov Date: Thu, 29 Jun 2023 09:29:04 +0200 Subject: [PATCH 5/5] Modification of the rule ensure_pam_wheel_group_empty --- controls/cis_sle12.yml | 1 + controls/cis_sle15.yml | 1 + .../ansible/shared.yml | 17 +++++++++++++++++ .../ensure_pam_wheel_group_empty/bash/shared.sh | 2 +- .../ensure_pam_wheel_group_empty/rule.yml | 8 +++++++- .../ansible/shared.yml | 10 ---------- .../use_pam_wheel_group_for_su/bash/shared.sh | 9 +-------- products/sle12/profiles/pci-dss-4.profile | 1 + products/sle15/profiles/pci-dss-4.profile | 1 + shared/references/cce-sle12-avail.txt | 1 - shared/references/cce-sle15-avail.txt | 1 - 11 files changed, 30 insertions(+), 22 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml index b024dac6c2e..d89700c00ea 100644 --- a/controls/cis_sle12.yml +++ b/controls/cis_sle12.yml @@ -1907,6 +1907,7 @@ controls: - l1_workstation automated: partially # we check only for usage of use_uid with pam_su, not for the group rules: + - ensure_pam_wheel_group_empty - use_pam_wheel_group_for_su - var_pam_wheel_group_for_su=cis diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml index 59ed5fabe60..b30c995503a 100644 --- a/controls/cis_sle15.yml +++ b/controls/cis_sle15.yml @@ -2102,6 +2102,7 @@ controls: - l1_workstation automated: partially # we check only for usage of use_uid with pam_su, not for the group rules: + - ensure_pam_wheel_group_empty - use_pam_wheel_group_for_su - var_pam_wheel_group_for_su=cis diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml new file mode 100644 index 00000000000..3d1d49b0bd8 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/ansible/shared.yml @@ -0,0 +1,17 @@ +# platform = multi_platform_sle,multi_platform_ubuntu +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +{{{ ansible_instantiate_variables("var_pam_wheel_group_for_su") }}} + +- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} is removed + group: + name: "{{ var_pam_wheel_group_for_su }}" + state: absent + +- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} exist + group: + name: "{{ var_pam_wheel_group_for_su }}" + state: present diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh index fc8709ade0d..fccd77f6a52 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_ubuntu +# platform = multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}} diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml index ce158a9b3c4..b2542be551f 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_pam_wheel_group_empty/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: ubuntu2004,ubuntu2204 +prodtype: sle12,sle15,ubuntu2004,ubuntu2204 title: 'Ensure the Group Used by pam_wheel Module Exists on System and is Empty' @@ -17,7 +17,13 @@ rationale: |- severity: medium +identifiers: + cce@sle12: CCE-92353-2 + cce@sle15: CCE-92528-9 + references: + cis@sle12: '5.6' + cis@sle15: '5.6' cis@ubuntu2004: '5.6' cis@ubuntu2204: 5.3.7 diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml index 972cc899b9c..5b2025201be 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/ansible/shared.yml @@ -6,16 +6,6 @@ {{{ ansible_instantiate_variables("var_pam_wheel_group_for_su") }}} -- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} is removed - group: - name: "{{ var_pam_wheel_group_for_su }}" - state: absent - -- name: {{{ rule_title }}} - Ensure group {{ var_pam_wheel_group_for_su }} exist - group: - name: "{{ var_pam_wheel_group_for_su }}" - state: present - - name: {{{ rule_title }}} - Add the group to the /etc/pam.d/su file ansible.builtin.lineinfile: path: "/etc/pam.d/su" diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh index 3f8b6cf94fc..fcba42656a5 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_group_for_su/bash/shared.sh @@ -1,15 +1,8 @@ -# platform = multi_platform_ubuntu,multi_platform_sle +# platform = multi_platform_sle,multi_platform_ubuntu {{{ bash_instantiate_variables("var_pam_wheel_group_for_su") }}} PAM_CONF=/etc/pam.d/su -if [ "$(getent group ${var_pam_wheel_group_for_su})" ]; then - # group exists - groupdel -f ${var_pam_wheel_group_for_su} -fi -groupadd -f ${var_pam_wheel_group_for_su} - - pamstr=$(grep -P '^auth\s+required\s+pam_wheel\.so\s+(?=[^#]*\buse_uid\b)(?=[^#]*\bgroup=)' ${PAM_CONF}) if [ -z "$pamstr" ]; then sed -Ei '/^auth\b.*\brequired\b.*\bpam_wheel\.so/d' ${PAM_CONF} # remove any remaining uncommented pam_wheel.so line diff --git a/products/sle12/profiles/pci-dss-4.profile b/products/sle12/profiles/pci-dss-4.profile index 7475bc9efac..13037009250 100644 --- a/products/sle12/profiles/pci-dss-4.profile +++ b/products/sle12/profiles/pci-dss-4.profile @@ -21,6 +21,7 @@ selections: - disable_host_auth - disable_prelink - disable_users_coredumps + - ensure_pam_wheel_group_empty - file_at_deny_not_exist - file_cron_deny_not_exist - file_groupowner_at_allow diff --git a/products/sle15/profiles/pci-dss-4.profile b/products/sle15/profiles/pci-dss-4.profile index 5165d80a8dc..1b1553b92f0 100644 --- a/products/sle15/profiles/pci-dss-4.profile +++ b/products/sle15/profiles/pci-dss-4.profile @@ -13,6 +13,7 @@ description: |- selections: - pcidss_4:all:base + - ensure_pam_wheel_group_empty - sshd_strong_kex=pcidss - sshd_approved_macs=cis_sle15 - sshd_approved_ciphers=cis_sle15 diff --git a/shared/references/cce-sle12-avail.txt b/shared/references/cce-sle12-avail.txt index 43f3bd76dc9..5156837efb4 100644 --- a/shared/references/cce-sle12-avail.txt +++ b/shared/references/cce-sle12-avail.txt @@ -16,7 +16,6 @@ CCE-92345-8 CCE-92347-4 CCE-92348-2 CCE-92350-8 -CCE-92353-2 CCE-92354-0 CCE-92355-7 CCE-92357-3 diff --git a/shared/references/cce-sle15-avail.txt b/shared/references/cce-sle15-avail.txt index cba50845398..9b225e4ed7e 100644 --- a/shared/references/cce-sle15-avail.txt +++ b/shared/references/cce-sle15-avail.txt @@ -26,7 +26,6 @@ CCE-92521-4 CCE-92524-8 CCE-92525-5 CCE-92527-1 -CCE-92528-9 CCE-92530-5 CCE-92532-1 CCE-92533-9