Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensuring "session optional pam_umask.so" line is present in /etc/pam.d/{system-auth | password-auth} files #163

Closed
wants to merge 18 commits into from
Closed

Ensuring "session optional pam_umask.so" line is present in /etc/pam.d/{system-auth | password-auth} files #163

wants to merge 18 commits into from

Conversation

ipruteanu-sie
Copy link
Contributor

Overall Review of Changes:
Conditional insertion of "session optional pam_umask.so" line in:

  • /etc/pam.d/system-auth
  • /etc/pam.d/password-auth

Issue Fixes:
#162

How has this been tested?:
Manual, on EC2 instance:


# cat /etc/pam.d/password-auth  | grep umask
#
# cat /etc/pam.d/system-auth | grep umask
# 
===============================================
TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs settings] ********************************************************************************************************************************************
ok: [34.244.29.147] => (item={'path': '/etc/bashrc', 'line': 'umask'}) => {"ansible_loop_var": "item", "changed": false, "item": {"line": "umask", "path": "/etc/bashrc"}, "msg": "", "rc": 0}
ok: [34.244.29.147] => (item={'path': '/etc/profile', 'line': 'umask'}) => {"ansible_loop_var": "item", "changed": false, "item": {"line": "umask", "path": "/etc/profile"}, "msg": "", "rc": 0}
ok: [34.244.29.147] => (item={'path': '/etc/login.defs', 'line': 'UMASK'}) => {"ansible_loop_var": "item", "changed": false, "item": {"line": "UMASK", "path": "/etc/login.defs"}, "msg": "", "rc": 0}

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in system-auth] *****************************************************************************************************************************************************
fatal: [34.244.29.147]: FAILED! => {"changed": true, "cmd": "grep -E -q \"^session\\s*(optional|requisite|required)\\s*pam_umask.so$\" /etc/pam.d/system-auth\n", "delta": "0:00:00.005307", "end": "2024-01-30 13:50:13.881481", "msg": "non-zero return code", "rc": 1, "start": "2024-01-30 13:50:13.876174", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
...ignoring

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in system-auth] ***********************************************************************************************************************************
changed: [34.244.29.147] => {"backup": "", "changed": true, "msg": "line added"}

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in password-auth] ***************************************************************************************************************************************************
fatal: [34.244.29.147]: FAILED! => {"changed": true, "cmd": "grep -E -q \"^session\\s*(optional|requisite|required)\\s*pam_umask.so$\" /etc/pam.d/password-auth\n", "delta": "0:00:00.005221", "end": "2024-01-30 13:50:18.033096", "msg": "non-zero return code", "rc": 1, "start": "2024-01-30 13:50:18.027875", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
...ignoring

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in password-auth] *********************************************************************************************************************************
changed: [34.244.29.147] => {"backup": "", "changed": true, "msg": "line added"}
===============================================


# cat /etc/pam.d/password-auth  | grep umask
session    optional    pam_umask.so
#
# cat /etc/pam.d/system-auth | grep umask
session    optional    pam_umask.so
#
===============================================

CIS_RESULT: pass
"01/30/2024 14:35:06","ip-172-31-38-227.eu-west-1.compute.internal","N/A","N/A","1.0.0","#scap_org.cisecurity_comp_1.0.0_CIS_Red_Hat_Enterprise_Linux_9_Benchmark-xccdf","CIS Red Hat Enterprise Linux 9 Benchmark","xccdf_org.cisecurity.benchmarks_benchmark_1.0.0_CIS_Red_Hat_Enterprise_Linux_9_Benchmark","Level 2 - Server","xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server","xccdf_org.cisecurity.benchmarks_rule_5.6.5_Ensure_default_user_umask_is_027_or_more_restrictive","5.6.5","Ensure default user umask is 027 or more restrictive","pass",","

ipruteanu-sie and others added 18 commits January 30, 2024 20:51
@ipruteanu-sie
Ensuring "session optional pam_umask.so
e41a340 
" is present in /etc/pam.d/{system-auth | password-auth}
@ipruteanu-sie
Solving conflicts after previous commit:
47a00a1 
Ensuring "session optional pam_umask.so" is present in /etc/pam.d/{system-auth | password-auth}
@ipruteanu-sie
Merge branch 'siemens/feat/5_6_5_pam-d_files_session' of code.siemens…
fd4ba5b 
….com:infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/rhel9-cis into siemens/feat/5_6_5_pam-d_files_session
@pre-commit-ci @ipruteanu-sie
[pre-commit.ci] pre-commit autoupdate
05ec867 
updates:
- [github.com/ansible-community/ansible-lint: v6.22.1 → v6.22.2](ansible/ansible-lint@v6.22.1...v6.22.2)

Signed-off-by: Ionut Pruteanu <[email protected]>
@ipruteanu-sie
Solving conflicts after previous commit:
549d510 
Ensuring "session optional pam_umask.so" is present in /etc/pam.d/{system-auth | password-auth}

Signed-off-by: Ionut Pruteanu <[email protected]>
@ipruteanu-sie
Merge branch 'siemens/feat/5_6_5_pam-d_files_session' of github.com:s…
47878df 
…iemens/RHEL9-CIS into siemens/feat/5_6_5_pam-d_files_session
@ipruteanu-sie
Storing max_log_file under rhel9cis_auditd dict variable.
bdf0036 
Signed-off-by: Ionut Pruteanu <[email protected]>
@ipruteanu-sie
Defining some threshold for (audit_)space_left vars, as well as a boo…
3ada3b9 
…l which governs if extra params will be configured

Signed-off-by: Ionut Pruteanu <[email protected]>
@sickbock @ipruteanu-sie
Update cis_1.3.x.yml
0e43e49 
Correction to "when":  1_3_3

Signed-off-by: Joachim la Poutré <[email protected]>
Signed-off-by: Ionut Pruteanu <[email protected]>
@sickbock @ipruteanu-sie
Update cis_1.8.x.yml
3f3b53d 
Corrected tag rule_1.8.10

Signed-off-by: Joachim la Poutré <[email protected]>
Signed-off-by: Ionut Pruteanu <[email protected]>
@sickbock @ipruteanu-sie
Update cis_5.6.1.x.yml
060e17b 
Corrected tag: rule_5.6.1.1

Signed-off-by: Joachim la Poutré <[email protected]>
Signed-off-by: Ionut Pruteanu <[email protected]>
@sickbock @ipruteanu-sie
Update cis_5.6.1.x.yml
f7d3028 
Corrected tag: rule_5.6.1.5

Signed-off-by: Joachim la Poutré <[email protected]>
Signed-off-by: Ionut Pruteanu <[email protected]>
@sickbock @ipruteanu-sie
Update cis_6.1.x.yml
dd3c4cb 
Corrected tags: rule_6.1.8 & rule_6.1.12

Signed-off-by: Joachim la Poutré <[email protected]>
Signed-off-by: Ionut Pruteanu <[email protected]>
@sickbock @ipruteanu-sie
Update cis_6.2.x.yml
f227fd5 
Corrected tag: rule_6.2.3

Signed-off-by: Joachim la Poutré <[email protected]>
Signed-off-by: Ionut Pruteanu <[email protected]>
@jLemmings @ipruteanu-sie
Update cis_1.1.7.x.yml
3504ee9 
Signed-off-by: Joshua Hemmings <[email protected]>
Signed-off-by: Ionut Pruteanu <[email protected]>
@pre-commit-ci @ipruteanu-sie
[pre-commit.ci] pre-commit autoupdate
eae587c 
updates:
- [github.com/ansible-community/ansible-lint: v6.22.1 → v6.22.2](ansible/ansible-lint@v6.22.1...v6.22.2)

Signed-off-by: Ionut Pruteanu <[email protected]>
@ipruteanu-sie
Solving conflicts after previous commit:
b71e947 
Ensuring "session optional pam_umask.so" is present in /etc/pam.d/{system-auth | password-auth}

Signed-off-by: Ionut Pruteanu <[email protected]>
@ipruteanu-sie
Merge branch 'siemens/feat/5_6_5_pam-d_files_session' of code.siemens…
24faf86 
….com:infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/rhel9-cis into siemens/feat/5_6_5_pam-d_files_session
@ipruteanu-sie ipruteanu-sie mentioned this pull request Jan 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ipruteanu-sie @sickbock @jLemmings