From ca2943789d345ed48f724ea8951f68f872a66da5 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Wed, 27 Nov 2024 11:32:22 -0800 Subject: [PATCH] Ubuntu 22.04 5.4.2.4 Ensure root account access is controlled --- components/pam.yml | 1 + controls/cis_ubuntu2404.yml | 9 +++--- .../oval/shared.xml | 19 ++++++++++++ .../ensure_root_access_controlled/rule.yml | 31 +++++++++++++++++++ .../tests/correct.pass.sh | 5 +++ .../tests/empty.fail.sh | 6 ++++ .../tests/locked.pass.sh | 6 ++++ 7 files changed, 73 insertions(+), 4 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/correct.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/empty.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/locked.pass.sh diff --git a/components/pam.yml b/components/pam.yml index 577d57e6682..3dfd260c377 100644 --- a/components/pam.yml +++ b/components/pam.yml @@ -137,6 +137,7 @@ rules: - enable_authselect - enable_pam_namespace - ensure_pam_wheel_group_empty +- ensure_root_access_controlled - ensure_root_password_configured - ensure_shadow_group_empty - ensure_sudo_group_restricted diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 3323ddee88f..b900eb09d21 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -2126,13 +2126,14 @@ controls: notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. - id: 5.4.2.4 - title: Ensure root account access is controlled (Automated) + title: Ensure root account access is controlled levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. - + rules: + - ensure_root_access_controlled + status: manual + - id: 5.4.2.5 title: Ensure root path integrity (Automated) levels: diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/oval/shared.xml new file mode 100644 index 00000000000..cfae0e503db --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/oval/shared.xml @@ -0,0 +1,19 @@ + + + {{{ oval_metadata("Ensure root account access is controlled") }}} + + + + + + + + + /etc/shadow + ^root:(\$(y|[0-9].+)\$|!.*|\*.*).*$ + 1 + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml new file mode 100644 index 00000000000..bfe57f49bb6 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + + +title: 'Ensure root account access is controlled' + +description: |- + There are a number of methods to access the root account directly. + Without a password set any user would be able to gain access and + thus control over the entire system. + +rationale: |- + Access to root should be secured at all times. + +severity: medium + +platform: system_with_kernel + +ocil_clause: 'root password is not set or is not locked' + +ocil: |- + Run the following command to verify that either the root user's + password is set or the root user's account is locked: + 
# passwd -S root | awk '$2 ~ /^(P|L)/ {print "User: \"" $1 "\" Password is status: " $2}'
+ Verify the output is either: + User: "root" Password is status: P + - OR - + User: "root" Password is status: L + Note: + - P - Password is set + - L - Password is locked + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/correct.pass.sh new file mode 100644 index 00000000000..01cd47b059e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/correct.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# packages = passwd +# platform = multi_platform_all + +sed -i "s/^root:[^:]*/root:\$y\$AAAAAAAAAA/" /etc/shadow diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/empty.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/empty.fail.sh new file mode 100644 index 00000000000..e341109e1b6 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/empty.fail.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = passwd +# platform = multi_platform_all +# remediation = None + +passwd -d root diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/locked.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/locked.pass.sh new file mode 100644 index 00000000000..e79e6768eb3 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/ensure_root_access_controlled/tests/locked.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# packages = passwd +# platform = multi_platform_all +# remediation = None + +passwd -l root