Merge pull request #12672 from ericeberry/u2404_5424

Ubuntu 24.04 5.4.2.4 Ensure root account access is controlled

components/pam.yml

@@ -137,6 +137,7 @@ rules:
 - enable_authselect
 - enable_pam_namespace
 - ensure_pam_wheel_group_empty
+- ensure_root_access_controlled
 - ensure_root_password_configured
 - ensure_shadow_group_empty
 - ensure_sudo_group_restricted

controls/cis_ubuntu2404.yml

@@ -2145,8 +2145,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    rules:
+      - ensure_root_access_controlled
+    status: automated
+    notes: This rule doesn't come with a remediation, as the exact requirement allows root to either have a password or be locked.
 
   - id: 5.4.2.5
     title: Ensure root path integrity (Automated)

linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/oval/shared.xml

@@ -0,0 +1,19 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Ensure root account access is controlled") }}}
+    <criteria>
+      <criterion comment="verify root password is set"
+          test_ref="test_root_access_controlled_etc_shadow" />
+    </criteria>
+  </definition>
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+      version="1" id="test_root_access_controlled_etc_shadow"
+      comment="make sure root password is set in /etc/shadow">
+    <ind:object object_ref="obj_root_access_controlled_etc_shadow" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="obj_root_access_controlled_etc_shadow" version="1">
+    <ind:filepath>/etc/shadow</ind:filepath>
+    <ind:pattern operation="pattern match">^root:(\$(y|[0-9].+)\$|!.*|\*.*).*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+</def-group>

linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml

@@ -0,0 +1,35 @@
+documentation_complete: true
+
+
+title: 'Ensure root account access is controlled'
+
+description: |-
+    There are a number of methods to access the root account directly. 
+    Without a password set any user would be able to gain access and 
+    thus control over the entire system.
+
+rationale: |-
+    Access to root should be secured at all times.
+
+severity: medium
+
+platform: system_with_kernel
+
+ocil_clause: 'root password is not set or is not locked'
+
+ocil: |-
+    Run the following command to verify that either the root user's
+    password is set or the root user's account is locked:
+    <pre># passwd -S root | awk '$2 ~ /^(P|L)/ {print "User: \"" $1 "\" Password is status: " $2}'</pre>
+    Verify the output is either: 
+    User: "root" Password is status: P
+    - OR -
+    User: "root" Password is status: L
+    Note:
+    - P - Password is set
+    - L - Password is locked
+    
+
+warnings:
+  - general: This rule doesn't come with a remediation, as the exact requirement allows root to either have a password or be locked.
+

linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/correct.pass.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+# packages = passwd
+# platform = multi_platform_all
+
+sed -i "s/^root:[^:]*/root:\$y\$AAAAAAAAAA/" /etc/shadow

linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/empty.fail.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = passwd
+# platform = multi_platform_all
+# remediation = None
+
+passwd -d root

linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/locked.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# packages = passwd
+# platform = multi_platform_all
+# remediation = None
+
+passwd -l root