|
|
c99e83 |
From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
|
|
|
c99e83 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
c99e83 |
Date: Thu, 21 May 2020 13:30:24 +0200
|
|
|
c99e83 |
Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
|
|
|
c99e83 |
|
|
|
c99e83 |
---
|
|
|
c99e83 |
.../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +-----
|
|
|
c99e83 |
1 file changed, 1 insertion(+), 5 deletions(-)
|
|
|
c99e83 |
|
|
|
c99e83 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
|
|
c99e83 |
index e9a29a24d5..6fbb7c72a5 100644
|
|
|
c99e83 |
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
|
|
c99e83 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
|
|
c99e83 |
@@ -3,13 +3,9 @@
|
|
|
c99e83 |
# strategy = restrict
|
|
|
c99e83 |
# complexity = low
|
|
|
c99e83 |
# disruption = low
|
|
|
c99e83 |
-- name: Test for existence of /etc/securetty
|
|
|
c99e83 |
- stat:
|
|
|
c99e83 |
- path: /etc/securetty
|
|
|
c99e83 |
- register: securetty_empty
|
|
|
c99e83 |
+
|
|
|
c99e83 |
|
|
|
c99e83 |
- name: "Direct root Logins Not Allowed"
|
|
|
c99e83 |
copy:
|
|
|
c99e83 |
dest: /etc/securetty
|
|
|
c99e83 |
content: ""
|
|
|
c99e83 |
- when: securetty_empty.stat.size > 1
|
|
|
c99e83 |
|
|
|
c99e83 |
From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
|
|
|
c99e83 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
c99e83 |
Date: Thu, 21 May 2020 14:21:38 +0200
|
|
|
c99e83 |
Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
|
|
|
c99e83 |
|
|
|
c99e83 |
---
|
|
|
c99e83 |
shared/templates/template_ANSIBLE_sebool | 8 +++++++-
|
|
|
c99e83 |
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
c99e83 |
|
|
|
c99e83 |
diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
|
|
|
c99e83 |
index 29f37081be..38d7c7c350 100644
|
|
|
c99e83 |
--- a/shared/templates/template_ANSIBLE_sebool
|
|
|
c99e83 |
+++ b/shared/templates/template_ANSIBLE_sebool
|
|
|
c99e83 |
@@ -13,11 +13,17 @@
|
|
|
c99e83 |
{{% else %}}
|
|
|
c99e83 |
- (xccdf-var var_{{{ SEBOOLID }}})
|
|
|
c99e83 |
|
|
|
c99e83 |
+{{% if product == "rhel8" %}}
|
|
|
c99e83 |
+- name: Ensure python3-libsemanage installed
|
|
|
c99e83 |
+ package:
|
|
|
c99e83 |
+ name: python3-libsemanage
|
|
|
c99e83 |
+ state: present
|
|
|
c99e83 |
+{{% else %}}
|
|
|
c99e83 |
- name: Ensure libsemanage-python installed
|
|
|
c99e83 |
package:
|
|
|
c99e83 |
name: libsemanage-python
|
|
|
c99e83 |
state: present
|
|
|
c99e83 |
-
|
|
|
c99e83 |
+{{% endif %}}
|
|
|
c99e83 |
- name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
|
|
|
c99e83 |
seboolean:
|
|
|
c99e83 |
name: {{{ SEBOOLID }}}
|
|
|
c99e83 |
|
|
|
c99e83 |
From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
|
|
|
c99e83 |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
c99e83 |
Date: Thu, 21 May 2020 14:57:05 +0200
|
|
|
c99e83 |
Subject: [PATCH 3/3] add tests for no_direct_root_logins
|
|
|
c99e83 |
|
|
|
c99e83 |
---
|
|
|
c99e83 |
.../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++
|
|
|
c99e83 |
.../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++
|
|
|
c99e83 |
.../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++
|
|
|
c99e83 |
3 files changed, 9 insertions(+)
|
|
|
c99e83 |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
|
|
c99e83 |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
|
|
c99e83 |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
|
|
c99e83 |
|
|
|
c99e83 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
|
|
c99e83 |
new file mode 100644
|
|
|
c99e83 |
index 0000000000..17251f6a98
|
|
|
c99e83 |
--- /dev/null
|
|
|
c99e83 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
|
|
c99e83 |
@@ -0,0 +1,3 @@
|
|
|
c99e83 |
+#!/bin/bash
|
|
|
c99e83 |
+
|
|
|
c99e83 |
+echo > /etc/securetty
|
|
|
c99e83 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
|
|
c99e83 |
new file mode 100644
|
|
|
c99e83 |
index 0000000000..c764814b26
|
|
|
c99e83 |
--- /dev/null
|
|
|
c99e83 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
|
|
c99e83 |
@@ -0,0 +1,3 @@
|
|
|
c99e83 |
+#!/bin/bash
|
|
|
c99e83 |
+
|
|
|
c99e83 |
+rm -f /etc/securetty
|
|
|
c99e83 |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
|
|
c99e83 |
new file mode 100644
|
|
|
c99e83 |
index 0000000000..43ac341e87
|
|
|
c99e83 |
--- /dev/null
|
|
|
c99e83 |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
|
|
c99e83 |
@@ -0,0 +1,3 @@
|
|
|
c99e83 |
+#!/bin/bash
|
|
|
c99e83 |
+
|
|
|
c99e83 |
+echo "something" > /etc/securetty
|