Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

5.6 | Ensure access to the su command is restricted tasks do not account for lines commented out in pam.d #25

Closed
jrbeilke opened this issue Apr 8, 2021 · 2 comments · Fixed by #34
Closed

5.6 | Ensure access to the su command is restricted tasks do not account for lines commented out in pam.d #25

jrbeilke opened this issue Apr 8, 2021 · 2 comments · Fixed by #34

Comments

@jrbeilke
Copy link

jrbeilke commented Apr 8, 2021

The tasks for this CIS criteria first grep the /etc/pam.d/su file, and do not take into account a line that may be commented out, so the tasks get skipped ie.
# auth required pam_wheel.so

      - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted | Check for pam_wheel.so module"
        command: grep 'auth.*required.*pam_wheel' /etc/pam.d/su
        changed_when: false
        failed_when: false
        register: ubtu18cis_5_6_pam_wheel_status

      - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted | Set pam_wheel if does not exist"
        lineinfile:
            path: /etc/pam.d/su
            line: 'auth       required   pam_wheel.so use_uid group={{ ubtu18cis_su_group }}'
            create: yes
        when: ubtu18cis_5_6_pam_wheel_status.stdout == ""

Seems an update is needed to check if the line is commented out and uncomment it so that the control is applied properly.
@jrbeilke
Copy link
Author

jrbeilke commented Apr 8, 2021

FYI here is an example from the GSA how they handle this criteria in their role using lineinfile:
https://github.com/GSA/ansible-os-ubuntu18/blob/master/tasks/section5.yml#L809

- name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted"
  lineinfile:
      state: present
      dest: /etc/pam.d/su
      regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
      line: "auth           required        pam_wheel.so use_uid"
  when:
      - ubuntu1804cis_rule_5_6
  tags:
      - level1
      - patch
      - rule_5.6
      - scored

georgenalen added a commit that referenced this issue Apr 9, 2021
@georgenalen
fixes for issue #25
7a24a5d 
Signed-off-by: George Nalen <[email protected]>
@georgenalen
Copy link
Contributor

Hello,
Thanks for raising the issue. I have added a little more robust regex to control a bit more of what it is looking for. One issue I discovered is if there are no existing or commented out instances where do we put the line. With that I noticed that there was an error in the task where it was always going at the bottom of the file, which is the wrong place for that required pam_wheel element. Since rootok should generally be there I have it inserting below that if there are no instances of auth required pam_wheel. Thanks for raising the issue and I will close this ticket once I get it into devel. Thanks again

George

This was referenced Apr 12, 2021
Merged
Merged
@georgenalen georgenalen linked a pull request Apr 14, 2021 that will close this issue
Issue Fixes and Layout Change #34
Merged
uk-bolly pushed a commit that referenced this issue Sep 20, 2023
@georgenalen @uk-bolly
fixes for issue #25
08d83ad 
Signed-off-by: George Nalen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue Fixes and Layout Change ansible-lockdown/UBUNTU18-CIS
2 participants
@jrbeilke @georgenalen