-
Notifications
You must be signed in to change notification settings - Fork 686
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #4889 from redhatrises/nmcli_permissions
Add rule for NIST AC-18(4)
- Loading branch information
Showing
5 changed files
with
124 additions
and
2 deletions.
There are no files selected for viewing
19 changes: 19 additions & 0 deletions
19
linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_rhv,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
|
||
- name: Ensure non-privileged users do not have access to nmcli | ||
ini_file: | ||
path: /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla | ||
section: Disable General User Access to NetworkManager | ||
option: "{{ item.option }}" | ||
value: "{{ item.value }}" | ||
create: yes | ||
loop: | ||
- { option: 'Identity', value: 'default' } | ||
- { option: 'Action', value: 'org.freedesktop.NetworkManager.*' } | ||
- { option: 'ResultAny', value: 'no' } | ||
- { option: 'ResultInactive', value: 'no' } | ||
- { option: 'ResultActive', value: 'auth_admin' } |
7 changes: 7 additions & 0 deletions
7
linux_os/guide/system/network/network_nmcli_permissions/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_rhv,multi_platform_fedora | ||
# reboot = false | ||
# strategy = restrict | ||
# complexity = low | ||
# disruption = low | ||
|
||
printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" > /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla |
35 changes: 35 additions & 0 deletions
35
linux_os/guide/system/network/network_nmcli_permissions/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
<def-group> | ||
<definition class="compliance" id="network_nmcli_permissions" version="1"> | ||
<metadata> | ||
<title>Ensure non-Privileged Users Cannot Change Network Settings</title> | ||
<affected family="unix"> | ||
<platform>Red Hat Enterprise Linux 7</platform> | ||
<platform>Red Hat Enterprise Linux 8</platform> | ||
<platform>multi_platform_rhv</platform> | ||
<platform>multi_platform_fedora</platform> | ||
</affected> | ||
<description>polkit is properly configured to prevent non-privilged users from changing networking settings</description> | ||
</metadata> | ||
<criteria> | ||
<criterion test_ref="test_network_nmcli_permissions" comment="check for properly configured .pkla file" /> | ||
</criteria> | ||
</definition> | ||
|
||
<ind:textfilecontent54_test id="test_network_nmcli_permissions" | ||
comment="polkit is properly configured to prevent non-privilged users from changing networking settings" | ||
check="all" check_existence="all_exist" version="1"> | ||
<ind:object object_ref="object_network_nmcli_permissions" /> | ||
<ind:state state_ref="state_network_nmcli_permissions" /> | ||
</ind:textfilecontent54_test> | ||
|
||
<ind:textfilecontent54_object id="object_network_nmcli_permissions" version="1"> | ||
<ind:filepath operation="pattern match">^/etc/polkit-1/localauthority/20-org.d/.*$</ind:filepath> | ||
<ind:pattern operation="pattern match">^\[.*\]\n\s*Identity=default\n\s*Action=org\.freedesktop\.NetworkManager\.\*\n\s*ResultAny=no\n\s*ResultInactive=no\n\s*(ResultActive=auth_admin)\n*\s*$</ind:pattern> | ||
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
</ind:textfilecontent54_object> | ||
|
||
<ind:textfilecontent54_state id="state_network_nmcli_permissions" version="1"> | ||
<ind:subexpression datatype="string">ResultActive=auth_admin</ind:subexpression> | ||
</ind:textfilecontent54_state> | ||
|
||
</def-group> |
63 changes: 63 additions & 0 deletions
63
linux_os/guide/system/network/network_nmcli_permissions/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
documentation_complete: true | ||
|
||
prodtype: rhel7,rhel8,fedora,rhv4 | ||
|
||
title: 'Prevent non-Privileged Users from Modifying Network Interfaces using nmcli' | ||
|
||
description: |- | ||
By default, non-privileged users are given permissions to modify networking | ||
interfaces and configurations using the <tt>nmcli</tt> command. Non-privileged | ||
users should not be making configuration changes to network configurations. To | ||
ensure that non-privileged users do not have permissions to make changes to the | ||
network configuration using <tt>nmcli</tt>, create the following configuration in | ||
<tt>/etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla</tt>: | ||
<pre> | ||
[Disable General User Access to NetworkManager] | ||
Identity=default | ||
Action=org.freedesktop.NetworkManager.* | ||
ResultAny=no | ||
ResultInactive=no | ||
ResultActive=auth_admin | ||
</pre> | ||
rationale: |- | ||
Allowing non-privileged users to make changes to network settings can allow | ||
untrusted access, prevent system availability, and/or can lead to a compromise or | ||
attack. | ||
severity: medium | ||
|
||
identifiers: | ||
cce@rhel7: 82178-5 | ||
cce@rhel8: 82179-3 | ||
|
||
references: | ||
cui: 3.1.16 | ||
nist: AC-18(a),AC-18(4) | ||
|
||
ocil_clause: 'non-privileged users can modify or change network settings' | ||
|
||
ocil: |- | ||
Using a non-privileged account, verify that users cannot modify or change | ||
network settings with the <tt>nmcli</tt> command with the following command: | ||
<pre>$ nmcli general permissions</pre> | ||
The output should contain the following: | ||
<pre>PERMISSION VALUE | ||
org.freedesktop.NetworkManager.enable-disable-network auth | ||
org.freedesktop.NetworkManager.enable-disable-wifi auth | ||
org.freedesktop.NetworkManager.enable-disable-wwan auth | ||
org.freedesktop.NetworkManager.enable-disable-wimax auth | ||
org.freedesktop.NetworkManager.sleep-wake auth | ||
org.freedesktop.NetworkManager.network-control auth | ||
org.freedesktop.NetworkManager.wifi.share.protected auth | ||
org.freedesktop.NetworkManager.wifi.share.open auth | ||
org.freedesktop.NetworkManager.settings.modify.system auth | ||
org.freedesktop.NetworkManager.settings.modify.own auth | ||
org.freedesktop.NetworkManager.settings.modify.hostname auth | ||
org.freedesktop.NetworkManager.settings.modify.global-dns auth | ||
org.freedesktop.NetworkManager.reload auth | ||
org.freedesktop.NetworkManager.checkpoint-rollback auth | ||
org.freedesktop.NetworkManager.enable-disable-statistics auth | ||
org.freedesktop.NetworkManager.enable-disable-connectivity-check auth | ||
org.freedesktop.NetworkManager.wifi.scan auth | ||
</pre> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,3 @@ | ||
CCE-82178-5 | ||
CCE-82179-3 | ||
CCE-82180-1 | ||
CCE-82181-9 | ||
CCE-82182-7 | ||
|