Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with Task 4.3.7 Ensure access to the su command is restricted #374

Open
msachikanta opened this issue May 14, 2024 · 1 comment
Open

Issue with Task 4.3.7 Ensure access to the su command is restricted #374

msachikanta opened this issue May 14, 2024 · 1 comment
Assignees
@uk-bolly
Labels
bug Something isn't working

Comments

@msachikanta
Copy link

msachikanta commented May 14, 2024
edited

Describe the Issue
Noticed the task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid is updating the entire outout of discovered_sugroup dynamic value getting populated from task 4.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists as stated below:

- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
  ansible.builtin.group:
      name: "{{ rhel8cis_sugroup }}"
      state: present
  register: discovered_sugroup

- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
  ansible.builtin.lineinfile:
      path: /etc/group
      regexp: '^{{ discovered_sugroup }}(:.:.*:).*$'
      line: '{{ discovered_sugroup }}\g<1>'
      backrefs: true

- name: "4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
  ansible.builtin.lineinfile:
      path: /etc/pam.d/su
      regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
      line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup }}'

Expected Behavior
Task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid suppose to update only the value of rhel8cis_sugroup varibale which should be sugroup as stated below:

auth           required        pam_wheel.so use_uid group=sugroup

however it is updating the entire output of discovered_sugroup as stated below:

Actual Behavior
The task 4.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid is updating the entire output of discovered_sugroup as stated below:

auth           required        pam_wheel.so use_uid group={'name': 'sugroup', 'state': 'present', 'changed': True, 'system': False, 'gid': 1001, 'failed': False}

Control(s) Affected
Nothing

Environment (please complete the following information):

  • branch being used: [e.g. devel]

Additional Notes

Possible Solution
The below lines

line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup }}'

regexp: '^{{ discovered_sugroup }}(:.:.*:).*$'
line: '{{ discovered_sugroup }}\g<1>'

can be replaced with

line: 'auth           required        pam_wheel.so use_uid group={{ rhel8cis_sugroup }}'

regexp: '^{{ rhel8cis_sugroup }}(:.:.*:).*$'
line: '{{ rhel8cis_sugroup }}\g<1>'

or

line: 'auth           required        pam_wheel.so use_uid group={{ discovered_sugroup['name'] }}'

regexp: '^{{ discovered_sugroup['name'] }}(:.:.*:).*$'
line: '{{ discovered_sugroup['name'] }}\g<1>'

to fix the issue.
@msachikanta msachikanta added the bug Something isn't working label May 14, 2024
@uk-bolly uk-bolly self-assigned this May 17, 2024
@uk-bolly uk-bolly mentioned this issue May 17, 2024
Draft
@uk-bolly
Copy link
Member

hi @msachikanta

Thank you for raising this issue, i'm looking and putting a few fixes together and submitting the PR shortly.

Many thanks

uk-bolly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@msachikanta @uk-bolly