search

ansible-lockdown / RHEL8-CIS

Ansible role for Red Hat 8 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
250 stars 157 forks source link

Issue with Task 4.3.7 Ensure access to the su command is restricted #374

Open msachikanta opened 1 month ago

msachikanta commented 1 month ago

Describe the Issue Noticed the task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid is updating the entire outout of discovered_sugroup dynamic value getting populated from task 4.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists as stated below:

- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
  ansible.builtin.group:
      name: "{{ rhel8cis_sugroup }}"
      state: present
  register: discovered_sugroup

- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
  ansible.builtin.lineinfile:
      path: /etc/group
      regexp: '^{{ discovered_sugroup }}(:.:.*:).*$'
      line: '{{ discovered_sugroup }}\g<1>'
      backrefs: true

- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
  ansible.builtin.lineinfile:
      path: /etc/pam.d/su
      regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
      line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup }}'

Expected Behavior Task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid suppose to update only the value of rhel8cis_sugroup varibale which should be sugroup as stated below:

auth           required        pam_wheel.so use_uid group=sugroup

however it is updating the entire output of discovered_sugroup as stated below:

Actual Behavior The task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid is updating the entire output of discovered_sugroup as stated below:

auth           required        pam_wheel.so use_uid group={'name': 'sugroup', 'state': 'present', 'changed': True, 'system': False, 'gid': 1001, 'failed': False}

Control(s) Affected Nothing

Environment (please complete the following information):

Additional Notes

Possible Solution The below lines

line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup }}'
regexp: '^{{ discovered_sugroup }}(:.:.*:).*$'
line: '{{ discovered_sugroup }}\g<1>'

can be replaced with

line: 'auth           required        pam_wheel.so use_uid group={{ rhel8cis_sugroup }}'
regexp: '^{{ rhel8cis_sugroup }}(:.:.*:).*$'
line: '{{ rhel8cis_sugroup }}\g<1>'

or

line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup['name'] }}'
regexp: '^{{ discovered_sugroup['name'] }}(:.:.*:).*$'
line: '{{ discovered_sugroup['name'] }}\g<1>'

to fix the issue.

uk-bolly commented 1 month ago

hi @msachikanta

Thank you for raising this issue, i'm looking and putting a few fixes together and submitting the PR shortly.

Many thanks

uk-bolly