From aa283116117ed378f6109638a9f69e337ed9a86d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 21 Jan 2025 11:26:54 +0100 Subject: [PATCH 1/2] require_singleuser_auth: update ocil and fixtext --- .../require_singleuser_auth/rule.yml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml index 1846c60d1e8..bc0beb98a79 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml @@ -64,6 +64,17 @@ ocil: |-
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
{{%- endif %}} + In case the output does not match, check if the ExecStart directive is not overridden: +
grep ExecStart /etc/systemd/system/rescue.service.d/*.conf
+ The output should contain two lines: +
ExecStart=
+    {{% if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
+    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+ {{%- else -%}} + ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" + {{%- endif %}} + + {{% if product not in ["ol8", "rhel8"] %}} Then, verify that the rescue service is in the runlevel1.target. Run the following command: @@ -85,11 +96,12 @@ ocil: |- fixtext: |- Configure {{{ full_name }}} to require authentication in single user mode. - Add or update the following line in "/usr/lib/systemd/system/rescue.service": + Ensure that there are following two lines in /etc/systemd/system/rescue.service.d/10-remediation.conf: +
ExecStart=
     {{% if product in ["fedora", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
-    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
{{%- else -%}} - ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" + ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" {{%- endif %}} srg_requirement: '{{{ full_name }}} must require authentication upon booting into rescue mode.' From f48da81349b047aab4a42f1e0ef214d4103c1e9a Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 21 Jan 2025 16:17:28 +0100 Subject: [PATCH 2/2] modify stig-specific prose --- .../require_singleuser_auth/policy/stig/shared.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/policy/stig/shared.yml index 9ed13f583fd..cd3f7c9ddc0 100644 --- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/policy/stig/shared.yml +++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/policy/stig/shared.yml @@ -13,12 +13,21 @@ checktext: |- ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue - If this line is not returned, or is commented out, this is a finding. + In case the output does not match, check if the ExecStart directive is not overridden: + + grep ExecStart /etc/systemd/system/rescue.service.d/*.conf + + The output should contain two lines: + ExecStart= + ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue + + If the line is not returned in any of cases mentioned above, or is commented out, this is a finding. fixtext: |- Configure {{{ full_name }}} to require authentication for single-user mode. - Add or modify the following line in the "/usr/lib/systemd/system/rescue.service" file: + Add following two lines to the file "/etc/systemd/system/rescue.service.d/10-remediation.conf": + ExecStart= ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue