From 5b1b952d4b2e3c47b5e3d898cf64613df8b39668 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Wed, 27 Nov 2024 11:32:22 -0800 Subject: [PATCH 1/3] Ubuntu 24.04 5.4.2.4 Ensure root account access is controlled --- components/pam.yml | 1 + controls/cis_ubuntu2404.yml | 6 ++-- .../oval/shared.xml | 19 +++++++++++ .../ensure_root_access_controlled/rule.yml | 34 +++++++++++++++++++ .../tests/correct.pass.sh | 5 +++ .../tests/empty.fail.sh | 6 ++++ .../tests/locked.pass.sh | 6 ++++ 7 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/correct.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/empty.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/locked.pass.sh diff --git a/components/pam.yml b/components/pam.yml index 577d57e6682..3dfd260c377 100644 --- a/components/pam.yml +++ b/components/pam.yml @@ -137,6 +137,7 @@ rules: - enable_authselect - enable_pam_namespace - ensure_pam_wheel_group_empty +- ensure_root_access_controlled - ensure_root_password_configured - ensure_shadow_group_empty - ensure_sudo_group_restricted diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 74a2cee01e6..a70ab008385 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -2140,8 +2140,10 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - ensure_root_access_controlled + status: automated + notes: This rule doesn't come with a remediation, as the exact requirement allows root to either have a password or be locked. - id: 5.4.2.5 title: Ensure root path integrity (Automated) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/oval/shared.xml new file mode 100644 index 00000000000..cfae0e503db --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/oval/shared.xml @@ -0,0 +1,19 @@ + + + {{{ oval_metadata("Ensure root account access is controlled") }}} + + + + + + + + + /etc/shadow + ^root:(\$(y|[0-9].+)\$|!.*|\*.*).*$ + 1 + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml new file mode 100644 index 00000000000..29806238aef --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml @@ -0,0 +1,34 @@ +documentation_complete: true + + +title: 'Ensure root account access is controlled' + +description: |- + There are a number of methods to access the root account directly. + Without a password set any user would be able to gain access and + thus control over the entire system. + +rationale: |- + Access to root should be secured at all times. + +severity: medium + +platform: system_with_kernel + +ocil_clause: 'root password is not set or is not locked' + +ocil: |- + Run the following command to verify that either the root user's + password is set or the root user's account is locked: + 
# passwd -S root | awk '$2 ~ /^(P|L)/ {print "User: \"" $1 "\" Password is status: " $2}'
+ Verify the output is either: + User: "root" Password is status: P + - OR - + User: "root" Password is status: L + Note: + - P - Password is set + - L - Password is locked + + +warnings: + - general: This rule doesn't come with a remediation, as the exact requirement allows root to either have a password or be locked. \ No newline at end of file diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/correct.pass.sh new file mode 100644 index 00000000000..01cd47b059e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/correct.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# packages = passwd +# platform = multi_platform_all + +sed -i "s/^root:[^:]*/root:\$y\$AAAAAAAAAA/" /etc/shadow diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/empty.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/empty.fail.sh new file mode 100644 index 00000000000..e341109e1b6 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/empty.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = passwd +# platform = multi_platform_all +# remediation = None + +passwd -d root diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/locked.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/locked.pass.sh new file mode 100644 index 00000000000..e79e6768eb3 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/locked.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = passwd +# platform = multi_platform_all +# remediation = None + +passwd -l root From 7b1ee5808fc79a9c6ba848b88bb91e36aeaad14e Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Wed, 11 Dec 2024 15:15:19 -0800 Subject: [PATCH 2/3] Ubuntu 24.04 5.4.2.4 Ensure root account access is controlled --- .../root_logins/ensure_root_access_controlled/rule.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml index 29806238aef..de9e978f037 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml @@ -31,4 +31,5 @@ ocil: |- warnings: - - general: This rule doesn't come with a remediation, as the exact requirement allows root to either have a password or be locked. \ No newline at end of file + - general: This rule doesn't come with a remediation, as the exact requirement allows root to either have a password or be locked. + \ No newline at end of file From cf3f73445b1284bae941d26e04600f1443fb73ba Mon Sep 17 00:00:00 2001 From: ericeberry Date: Thu, 12 Dec 2024 11:55:03 -0800 Subject: [PATCH 3/3] Update rule.yml --- .../root_logins/ensure_root_access_controlled/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml index de9e978f037..93e3400b72b 100644 --- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml @@ -32,4 +32,4 @@ ocil: |- warnings: - general: This rule doesn't come with a remediation, as the exact requirement allows root to either have a password or be locked. - \ No newline at end of file +