Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Solving conflicts after previous commit: #165

Closed
wants to merge 2 commits into from
Closed

Solving conflicts after previous commit: #165

wants to merge 2 commits into from

Conversation

ipruteanu-sie
Copy link
Contributor

Recreated this PR, by cherry-picking previous commit with --signoff.

Overall Review of Changes:
Conditional insertion of "session optional pam_umask.so" line in:

  • /etc/pam.d/system-auth
  • /etc/pam.d/password-auth

Issue Fixes:
#162

How has this been tested?:
Manual, on EC2 instance:


# cat /etc/pam.d/password-auth  | grep umask
#
# cat /etc/pam.d/system-auth | grep umask
# 
===============================================
TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs settings] ********************************************************************************************************************************************
ok: [34.244.29.147] => (item={'path': '/etc/bashrc', 'line': 'umask'}) => {"ansible_loop_var": "item", "changed": false, "item": {"line": "umask", "path": "/etc/bashrc"}, "msg": "", "rc": 0}
ok: [34.244.29.147] => (item={'path': '/etc/profile', 'line': 'umask'}) => {"ansible_loop_var": "item", "changed": false, "item": {"line": "umask", "path": "/etc/profile"}, "msg": "", "rc": 0}
ok: [34.244.29.147] => (item={'path': '/etc/login.defs', 'line': 'UMASK'}) => {"ansible_loop_var": "item", "changed": false, "item": {"line": "UMASK", "path": "/etc/login.defs"}, "msg": "", "rc": 0}

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in system-auth] *****************************************************************************************************************************************************
fatal: [34.244.29.147]: FAILED! => {"changed": true, "cmd": "grep -E -q \"^session\\s*(optional|requisite|required)\\s*pam_umask.so$\" /etc/pam.d/system-auth\n", "delta": "0:00:00.005307", "end": "2024-01-30 13:50:13.881481", "msg": "non-zero return code", "rc": 1, "start": "2024-01-30 13:50:13.876174", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
...ignoring

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in system-auth] ***********************************************************************************************************************************
changed: [34.244.29.147] => {"backup": "", "changed": true, "msg": "line added"}

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in password-auth] ***************************************************************************************************************************************************
fatal: [34.244.29.147]: FAILED! => {"changed": true, "cmd": "grep -E -q \"^session\\s*(optional|requisite|required)\\s*pam_umask.so$\" /etc/pam.d/password-auth\n", "delta": "0:00:00.005221", "end": "2024-01-30 13:50:18.033096", "msg": "non-zero return code", "rc": 1, "start": "2024-01-30 13:50:18.027875", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
...ignoring

TASK [rhel9-cis : 5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in password-auth] *********************************************************************************************************************************
changed: [34.244.29.147] => {"backup": "", "changed": true, "msg": "line added"}
===============================================


# cat /etc/pam.d/password-auth  | grep umask
session    optional    pam_umask.so
#
# cat /etc/pam.d/system-auth | grep umask
session    optional    pam_umask.so
#
===============================================

CIS_RESULT: pass
"01/30/2024 14:35:06","ip-172-31-38-227.eu-west-1.compute.internal","N/A","N/A","1.0.0","#scap_org.cisecurity_comp_1.0.0_CIS_Red_Hat_Enterprise_Linux_9_Benchmark-xccdf","CIS Red Hat Enterprise Linux 9 Benchmark","xccdf_org.cisecurity.benchmarks_benchmark_1.0.0_CIS_Red_Hat_Enterprise_Linux_9_Benchmark","Level 2 - Server","xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server","xccdf_org.cisecurity.benchmarks_rule_5.6.5_Ensure_default_user_umask_is_027_or_more_restrictive","5.6.5","Ensure default user umask is 027 or more restrictive","pass",","

@ipruteanu-sie
Solving conflicts after previous commit:
594e52a 
Ensuring "session optional pam_umask.so" is present in /etc/pam.d/{system-auth | password-auth}

Signed-off-by: Ionut Pruteanu <[email protected]>
@ipruteanu-sie
Check_mode: false, otherwise gets skipped
c51712e 
Signed-off-by: Ionut Pruteanu <[email protected]>
uk-bolly
uk-bolly reviewed Feb 19, 2024
View reviewed changes
tasks/section_5/cis_5.6.x.yml
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also addressed in another PR there are two ways to approach the control.
We have always carried out via the bash/shell profile script method. This is using the alternate method

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, @uk-bolly . I'm not really sure I know which is the other open PR where 5.6.5 is treated.
If the PR was merged, in devel the latest change I see for 5.6.5 is this one.

Nevertheless, as I mentioned in issue #162(highlighted in red in the attached screenshot), CIS expects both files:

  • /etc/pam.d/password-auth
  • /etc/pam.d/system-auth - we're currently treating only this one, right?

However, please feel free to close the PR, if the issue is already fixed.

@uk-bolly uk-bolly self-assigned this Feb 19, 2024
uk-bolly added a commit that referenced this pull request Mar 6, 2024
@uk-bolly
Addressed PR #165 thanks to @ipruteanu-sie
112cf5a 
Signed-off-by: Mark Bolwell <[email protected]>
@uk-bolly uk-bolly mentioned this pull request Mar 6, 2024
Merged
uk-bolly added a commit that referenced this pull request Mar 6, 2024
@uk-bolly
March 24 to devel (#186)
7d7b613 
* Issue #170, PR #181 thanks to @ipruteanu-sie

* issue #182, PR #183 thansk to @ipruteanu-sie

* PR #180 thanks to @ipruteanu-sie and @raabf

* Addressed PR #165 thanks to @ipruteanu-sie

* PT #184 addressed thansk to @ipruteanu-sie

* updated credits

* typo and ssh allow_deny comments

* enable OS check

---------

Signed-off-by: Mark Bolwell <[email protected]>
ipruteanu-sie pushed a commit to siemens/RHEL9-CIS that referenced this pull request Mar 11, 2024
@uk-bolly @ipruteanu-sie
March 24 to devel (ansible-lockdown#186)
504c553 
* Issue ansible-lockdown#170, PR ansible-lockdown#181 thanks to @ipruteanu-sie

* issue ansible-lockdown#182, PR ansible-lockdown#183 thansk to @ipruteanu-sie

* PR ansible-lockdown#180 thanks to @ipruteanu-sie and @raabf

* Addressed PR ansible-lockdown#165 thanks to @ipruteanu-sie

* PT ansible-lockdown#184 addressed thansk to @ipruteanu-sie

* updated credits

* typo and ssh allow_deny comments

* enable OS check

---------

Signed-off-by: Mark Bolwell <[email protected]>
Signed-off-by: Pruteanu <[email protected]>
@ipruteanu-sie
Copy link
Contributor Author

Current approach is just fine, CIS report a Pass

uk-bolly added a commit that referenced this pull request Apr 15, 2024
@uk-bolly
April_24 updates (#201)
f8fcfe0 
* Issue #170, PR #181 thanks to @ipruteanu-sie

Signed-off-by: Mark Bolwell <[email protected]>

* issue #182, PR #183 thansk to @ipruteanu-sie

Signed-off-by: Mark Bolwell <[email protected]>

* PR #180 thanks to @ipruteanu-sie and @raabf

Signed-off-by: Mark Bolwell <[email protected]>

* Addressed PR #165 thanks to @ipruteanu-sie

Signed-off-by: Mark Bolwell <[email protected]>

* PT #184 addressed thansk to @ipruteanu-sie

Signed-off-by: Mark Bolwell <[email protected]>

* updated credits

Signed-off-by: Mark Bolwell <[email protected]>

* typo and ssh allow_deny comments

Signed-off-by: Mark Bolwell <[email protected]>

* enable OS check

Signed-off-by: Mark Bolwell <[email protected]>

* PR - #198 addressed thanks to @brakkio86

Signed-off-by: Mark Bolwell <[email protected]>

* Addressed issue #190

Signed-off-by: Mark Bolwell <[email protected]>

* Additional vars for issue #190

Signed-off-by: Mark Bolwell <[email protected]>

* updated pre-commit version

Signed-off-by: Mark Bolwell <[email protected]>

* consistent quotes around mode

Signed-off-by: Mark Bolwell <[email protected]>

* moved audit added discoveries

Signed-off-by: Mark Bolwell <[email protected]>

* removed unneeded vars

Signed-off-by: Mark Bolwell <[email protected]>

* audit moved to prelim

Signed-off-by: Mark Bolwell <[email protected]>

* tidy up

Signed-off-by: Mark Bolwell <[email protected]>

* improved new variable usage

Signed-off-by: Mark Bolwell <[email protected]>

* fixed logic 6.2.10

Signed-off-by: Mark Bolwell <[email protected]>

* updated

Signed-off-by: Mark Bolwell <[email protected]>

* addressed #197 thanks to @mark-tomich

Signed-off-by: Mark Bolwell <[email protected]>

* updates for audit section

Signed-off-by: Mark Bolwell <[email protected]>

* fixed naming

Signed-off-by: Mark Bolwell <[email protected]>

* updated

Signed-off-by: Mark Bolwell <[email protected]>

* added prelim to includes

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@uk-bolly uk-bolly uk-bolly left review comments

Assignees

@uk-bolly uk-bolly

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ipruteanu-sie @uk-bolly