Open gagandhaliwal1 opened 4 years ago
I strongly disagree with the suggested remediation CIS provides. One shall not edit systemd unit files in /usr/lib (or /lib). Instead, one shall place an override systemd unit file in /etc/systemd/system.
N.B. Even if the unit file in /usr/lib/systemd is compliant, if a non-compliant unit is in /etc/systemd, then that one is used instead.
I still don't agree with CIS about this, but as it turns out I've included this in PR #59
CIS level 1 settings of authentication required for single user mode on RHEL 8 is different as compared to older RHEL versions. rules/ensure_authentication_required_for_single_user_mode.pp with below ExecStart for RHEL8. CIS RHEL 8 1.5.3.
grep /systemd-sulogin-shell /usr/lib/systemd/system/rescue.service
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
grep /systemd-sulogin-shell /usr/lib/systemd/system/emergency.service
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency