Only allow root and members of group wheel to use su #134
Conversation
README.md
Outdated
| @@ -68,6 +68,8 @@ This Puppet module provides secure configuration of your base OS with hardening. | |||
| the number of last passwords (e.g. 5 will prevent user to reuse any of her last 5 passwords) | |||
| * `allow_change_user = false` | |||
| if a user may use `su` to change his login | |||
| * `only_root_may_su = true` | |||
There was a problem hiding this comment.
I would better set the default to false, because this change might otherwise break existing installations
manifests/init.pp
Outdated
| @@ -37,6 +37,7 @@ | |||
| Boolean $manage_pam_unix = false, | |||
| Boolean $enable_pw_history = true, | |||
| Integer $pw_remember_last = 5, | |||
| Boolean $only_root_may_su = true, | |||
manifests/pam.pp
Outdated
| @@ -17,6 +17,7 @@ | |||
| Boolean $manage_pam_unix = false, | |||
| Boolean $enable_pw_history = false, | |||
| Integer $pw_remember_last = 5, | |||
| Boolean $only_root_may_su = true, | |||
templates/pam_su.erb
Outdated
| @@ -0,0 +1,68 @@ | |||
| # | |||
There was a problem hiding this comment.
This template is only valid for debian / ubuntu ... please also distinguish between the distributions. I'll attach the default settings for SUSE and RedHat/Centos.
|
I'm not entirely happy with how the templates are provided now. Should I make subdirectories per OS instead? |
|
@timstoop Concerning the templates: that's fine for me ... it's not crowded yet in the template folder I just saw that you also need to pass $only_root_may_su to class os_hardening::pam in init.pp, line 182. |
|
Will do, but might take a few weeks before I'm able to pick this up again (see my comment in PR #131). |
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <github@timstoop.nl> (github: timstoop)
|
I think that fixes all complaints! |
manifests/pam.pp
Outdated
| @@ -131,6 +133,32 @@ | |||
| } | |||
| } | |||
|
|
|||
| #only allow root and members of the group wheel to su | |||
| if $only_root_may_su { | |||
| case $::operatingsystem { | |||
There was a problem hiding this comment.
this case isn't working here, because you'll never reach this if you are not debian or ubuntu --> see line 48
So the whole block must be copied, customized and pasted into the end / line 167
I see this is hard to setup & test if you don't have access to those environments ... let me suggest this: reduce your solution once again (sorry) to ubuntu and I'll adapt this for the other platforms and insert another pr myself afterwards.
There was a problem hiding this comment.
Yes, sorry, I'm only testing on Debian Stretch due to time constraints :/ I'm testing my work on a modified version of https://github.com/dev-sec/hardening/tree/master/puppet (as I want to use the contrib-stretch image, for instance). If there's a similar solution for RedHat/Suse, I'm happy to add it to my testing before I send in my patches! It's just that RedHat and Suse are fairly unknown to me (been using Debian since 1997), so it's not that easy for me to setup (and time does not permit it either).
For now, I'll do as requested and move it down.
There was a problem hiding this comment.
s/move it down/reduce to debian/
manifests/pam.pp
Outdated
| @@ -131,6 +133,17 @@ | |||
| } | |||
| } | |||
|
|
|||
| #only allow root and members of the group wheel to su | |||
| if $only_root_may_su { | |||
There was a problem hiding this comment.
This if clause should be left out here - if you switch back only_root_may_su to false, the file won't get an update.
|
@mcgege does it make sense to port this to chef and ansible implementations? |
|
@artem-sidorenko I'm undecided here as I don't know how often this feature is used ... and you have to pay attention that you don't lock out yourself (su doesn't work any more if root is not in this group) :-) @timstoop Can you implement this last open change? |
HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <github@timstoop.nl> (github: timstoop)
|
Done! |
|
@timstoop Thanks a lot! |
This fixes the benchmark cis-dil-benchmark-5.6.