Merge pull request ComplianceAsCode#6256 from vojtapolasek/add_rhel8_ospp_pam_whell

add rule use_pam_wheel_for_su

Author: yuumasato

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/ansible/shared.yml

@@ -0,0 +1,11 @@
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: "restrict usage of su command only to members of wheel group"
+  replace:
+    path: "/etc/pam.d/su"
+    regexp: '^[\s]*#[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$'
+    replace: "auth             required        pam_wheel.so use_uid"

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/bash/shared.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
+
+# uncomment the option if commented
+  sed '/^[[:space:]]*#[[:space:]]*auth[[:space:]]\+required[[:space:]]\+pam_wheel\.so[[:space:]]\+use_uid$/s/^[[:space:]]*#//' -i /etc/pam.d/su

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/oval/shared.xml

@@ -0,0 +1,19 @@
+<def-group>
+  <definition class="compliance" id="use_pam_wheel_for_su" version="1">
+    {{{ oval_metadata("Only members of the wheel group should be able to authenticate through the su command.") }}}
+    <criteria operator="AND">
+      <criterion test_ref="test_use_pam_wheel_for_su" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/su for correct setting" id="test_use_pam_wheel_for_su" version="1">
+    <ind:object object_ref="object_use_pam_wheel_for_su" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="check /etc/pam.d/su for correct setting" id="object_use_pam_wheel_for_su" version="1">
+    <ind:filepath>/etc/pam.d/su</ind:filepath>
+    <ind:pattern operation="pattern match">^[\s]*auth[\s]+required[\s]+pam_wheel\.so[\s]+use_uid$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/rule.yml

@@ -0,0 +1,32 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4
+
+title: 'Enforce usage of pam_wheel for su authentication'
+
+description: |-
+    To ensure that only users who are members of the <tt>wheel</tt> group can
+    run commands with altered privileges through the <tt>su</tt> command, make
+    sure that the following line exists in the file <tt>/etc/pam.d/su</tt>:
+    <pre>auth             required        pam_wheel.so use_uid</pre>
+
+rationale: |-
+    The <tt>su</tt> program allows to run commands with a substitute user and
+    group ID. It is commonly used to run commands as the root user. Limiting
+    access to such command is considered a good security practice.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-83318-6
+
+references:
+    ospp: FMT_SMF_EXT.1.1
+
+ocil_clause: 'the line is not in the file or it is commented'
+
+ocil: |-
+    Run the following command to check if the line is present:
+    <pre>grep pam_wheel /etc/pam.d/su</pre>
+    The output should contain the following line:
+    <pre>auth             required        pam_wheel.so use_uid</pre>

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/correct.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+#clean possible commented lines
+sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su
+
+#apply correct line
+echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_commented.fail.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+#clean possible commented lines
+sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su
+
+#apply commented line
+echo "#auth required pam_wheel.so use_uid" >> /etc/pam.d/su

linux_os/guide/system/accounts/accounts-restrictions/root_logins/use_pam_wheel_for_su/tests/line_not_there.fail.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# remediation = none
+
+#clean possible lines
+sed -i '/^.*auth.*required.*pam_wheel\.so.*use_uid$/d' /etc/pam.d/su

rhel8/profiles/ospp.profile

@@ -223,6 +223,7 @@ selections:
     - securetty_root_login_console_only
     - var_password_pam_unix_remember=5
     - accounts_password_pam_unix_remember
+    - use_pam_wheel_for_su
 
     ### SELinux Configuration
     - var_selinux_state=enforcing

shared/references/cce-redhat-avail.txt

@@ -1,7 +1,6 @@
 CCE-83315-2
 CCE-83316-0
 CCE-83317-8
-CCE-83318-6
 CCE-83319-4
 CCE-83320-2
 CCE-83322-8

tests/data/profile_stability/rhel8/ospp.profile

@@ -220,6 +220,7 @@ selections:
 - sysctl_user_max_user_namespaces
 - timer_dnf-automatic_enabled
 - usbguard_allow_hid_and_hub
+- use_pam_wheel_for_su
 - zipl_audit_argument
 - zipl_audit_backlog_limit_argument
 - zipl_bls_entries_only

tests/data/profile_stability/rhel8/stig.profile

@@ -242,6 +242,7 @@ selections:
 - sysctl_user_max_user_namespaces
 - timer_dnf-automatic_enabled
 - usbguard_allow_hid_and_hub
+- use_pam_wheel_for_su
 - var_sshd_set_keepalive=0
 - var_rekey_limit_size=1G
 - var_rekey_limit_time=1hour