Merge pull request #4889 from redhatrises/nmcli_permissions

Add rule for NIST AC-18(4)

linux_os/guide/system/network/network_nmcli_permissions/ansible/shared.yml

@@ -0,0 +1,19 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_rhv,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Ensure non-privileged users do not have access to nmcli
+  ini_file:
+    path: /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla
+    section: Disable General User Access to NetworkManager
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    create: yes
+  loop:
+    - { option: 'Identity', value: 'default' }
+    - { option: 'Action', value: 'org.freedesktop.NetworkManager.*' }
+    - { option: 'ResultAny', value: 'no' }
+    - { option: 'ResultInactive', value: 'no' }
+    - { option: 'ResultActive', value: 'auth_admin' }

linux_os/guide/system/network/network_nmcli_permissions/bash/shared.sh

@@ -0,0 +1,7 @@
+# platform = Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,multi_platform_rhv,multi_platform_fedora
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" > /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla

linux_os/guide/system/network/network_nmcli_permissions/oval/shared.xml

@@ -0,0 +1,35 @@
+<def-group>
+  <definition class="compliance" id="network_nmcli_permissions" version="1">
+    <metadata>
+      <title>Ensure non-Privileged Users Cannot Change Network Settings</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+        <platform>Red Hat Enterprise Linux 8</platform>
+        <platform>multi_platform_rhv</platform>
+        <platform>multi_platform_fedora</platform>
+      </affected>
+      <description>polkit is properly configured to prevent non-privilged users from changing networking settings</description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="test_network_nmcli_permissions" comment="check for properly configured .pkla file" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_network_nmcli_permissions"
+  comment="polkit is properly configured to prevent non-privilged users from changing networking settings"
+  check="all" check_existence="all_exist" version="1">
+    <ind:object object_ref="object_network_nmcli_permissions" />
+    <ind:state state_ref="state_network_nmcli_permissions" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_network_nmcli_permissions" version="1">
+    <ind:filepath operation="pattern match">^/etc/polkit-1/localauthority/20-org.d/.*$</ind:filepath>
+    <ind:pattern operation="pattern match">^\[.*\]\n\s*Identity=default\n\s*Action=org\.freedesktop\.NetworkManager\.\*\n\s*ResultAny=no\n\s*ResultInactive=no\n\s*(ResultActive=auth_admin)\n*\s*$</ind:pattern>
+    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_network_nmcli_permissions" version="1">
+    <ind:subexpression datatype="string">ResultActive=auth_admin</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+</def-group>

linux_os/guide/system/network/network_nmcli_permissions/rule.yml

@@ -0,0 +1,63 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,fedora,rhv4
+
+title: 'Prevent non-Privileged Users from Modifying Network Interfaces using nmcli'
+
+description: |-
+    By default, non-privileged users are given permissions to modify networking
+    interfaces and configurations using the <tt>nmcli</tt> command. Non-privileged
+    users should not be making configuration changes to network configurations. To
+    ensure that non-privileged users do not have permissions to make changes to the
+    network configuration using <tt>nmcli</tt>, create the following configuration in
+    <tt>/etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla</tt>:
+    <pre>
+    [Disable General User Access to NetworkManager]
+    Identity=default
+    Action=org.freedesktop.NetworkManager.*
+    ResultAny=no
+    ResultInactive=no
+    ResultActive=auth_admin
+    </pre>
+
+rationale: |-
+    Allowing non-privileged users to make changes to network settings can allow
+    untrusted access, prevent system availability, and/or can lead to a compromise or
+    attack.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: 82178-5
+    cce@rhel8: 82179-3
+
+references:
+    cui: 3.1.16
+    nist: AC-18(a),AC-18(4)
+
+ocil_clause: 'non-privileged users can modify or change network settings'
+
+ocil: |-
+    Using a non-privileged account, verify that users cannot modify or change
+    network settings with the <tt>nmcli</tt> command with the following command:
+    <pre>$ nmcli general permissions</pre>
+    The output should contain the following:
+    <pre>PERMISSION                                                        VALUE
+    org.freedesktop.NetworkManager.enable-disable-network             auth
+    org.freedesktop.NetworkManager.enable-disable-wifi                auth
+    org.freedesktop.NetworkManager.enable-disable-wwan                auth
+    org.freedesktop.NetworkManager.enable-disable-wimax               auth
+    org.freedesktop.NetworkManager.sleep-wake                         auth
+    org.freedesktop.NetworkManager.network-control                    auth
+    org.freedesktop.NetworkManager.wifi.share.protected               auth
+    org.freedesktop.NetworkManager.wifi.share.open                    auth
+    org.freedesktop.NetworkManager.settings.modify.system             auth
+    org.freedesktop.NetworkManager.settings.modify.own                auth
+    org.freedesktop.NetworkManager.settings.modify.hostname           auth
+    org.freedesktop.NetworkManager.settings.modify.global-dns         auth
+    org.freedesktop.NetworkManager.reload                             auth
+    org.freedesktop.NetworkManager.checkpoint-rollback                auth
+    org.freedesktop.NetworkManager.enable-disable-statistics          auth
+    org.freedesktop.NetworkManager.enable-disable-connectivity-check  auth
+    org.freedesktop.NetworkManager.wifi.scan                          auth
+    </pre>

shared/references/cce-redhat-avail.txt

@@ -1,5 +1,3 @@
-CCE-82178-5
-CCE-82179-3
 CCE-82180-1
 CCE-82181-9
 CCE-82182-7