search

dev-sec / ansible-collection-hardening

This Ansible collection provides battle tested hardening for Linux, SSH, nginx, MySQL
http://dev-sec.io/
Apache License 2.0
4.04k stars 732 forks source link

System UID range increased from 500 to 1000 in RHEL/CentOS 7 #194

Open martinbydefault opened 6 years ago

martinbydefault commented 6 years ago

System user UID range was extended from 0-499 to 0-999 (https://access.redhat.com/articles/1190233).

In the template rhel_system_auth.j2 there is a 500 harcoded. I think there should be a variable with the max system UID number (500 or 1000, depending the OS version) and use that variable instead of the 500 hardcoded here: https://github.com/dev-sec/ansible-os-hardening/blob/44b32922ffd4372fabdef56c958448ea555ed9c3/templates/etc/pam.d/rhel_system_auth.j2#L9 and here: https://github.com/dev-sec/ansible-os-hardening/blob/44b32922ffd4372fabdef56c958448ea555ed9c3/templates/etc/pam.d/rhel_system_auth.j2#L17

Or maybe don't define a new variable and just use os_auth_uid_min?

In both cases the variable must be defined in the OS specific version var file (Redhat-6 and Redhat-7) instead of the general (Redhat).

I can submit a PR with the changes once I get feedback from this.

CC @rndmh3ro

rndmh3ro commented 6 years ago

Hey @martinbydefault, thanks for noticing that, you're completely right!

Or maybe don't define a new variable and just use os_auth_uid_min?

Yes, we should use that variable.

If you would open a PR that would be great!

pyllyukko commented 5 years ago

How about reading it from /etc/login.defs (SYS_UID_MAX)?