104 lines
4.3 KiB
Diff
104 lines
4.3 KiB
Diff
From 31b216f0dbe9e7531f273fbbd618ff8905358497 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Thu, 21 May 2020 13:30:24 +0200
|
|
Subject: [PATCH 1/3] simplify ansible remediation of no_direct_root_logins
|
|
|
|
---
|
|
.../root_logins/no_direct_root_logins/ansible/shared.yml | 6 +-----
|
|
1 file changed, 1 insertion(+), 5 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
|
index e9a29a24d5..6fbb7c72a5 100644
|
|
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
|
|
@@ -3,13 +3,9 @@
|
|
# strategy = restrict
|
|
# complexity = low
|
|
# disruption = low
|
|
-- name: Test for existence of /etc/securetty
|
|
- stat:
|
|
- path: /etc/securetty
|
|
- register: securetty_empty
|
|
+
|
|
|
|
- name: "Direct root Logins Not Allowed"
|
|
copy:
|
|
dest: /etc/securetty
|
|
content: ""
|
|
- when: securetty_empty.stat.size > 1
|
|
|
|
From d12bcac36bac2a84ddf6162946b631c99fa86071 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Thu, 21 May 2020 14:21:38 +0200
|
|
Subject: [PATCH 2/3] change name of libsemanage python bindings for rhel8
|
|
|
|
---
|
|
shared/templates/template_ANSIBLE_sebool | 8 +++++++-
|
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/shared/templates/template_ANSIBLE_sebool b/shared/templates/template_ANSIBLE_sebool
|
|
index 29f37081be..38d7c7c350 100644
|
|
--- a/shared/templates/template_ANSIBLE_sebool
|
|
+++ b/shared/templates/template_ANSIBLE_sebool
|
|
@@ -13,11 +13,17 @@
|
|
{{% else %}}
|
|
- (xccdf-var var_{{{ SEBOOLID }}})
|
|
|
|
+{{% if product == "rhel8" %}}
|
|
+- name: Ensure python3-libsemanage installed
|
|
+ package:
|
|
+ name: python3-libsemanage
|
|
+ state: present
|
|
+{{% else %}}
|
|
- name: Ensure libsemanage-python installed
|
|
package:
|
|
name: libsemanage-python
|
|
state: present
|
|
-
|
|
+{{% endif %}}
|
|
- name: Set SELinux boolean {{{ SEBOOLID }}} accordingly
|
|
seboolean:
|
|
name: {{{ SEBOOLID }}}
|
|
|
|
From ccf902082fc4f5abd8fae702e4322c6089773012 Mon Sep 17 00:00:00 2001
|
|
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
Date: Thu, 21 May 2020 14:57:05 +0200
|
|
Subject: [PATCH 3/3] add tests for no_direct_root_logins
|
|
|
|
---
|
|
.../root_logins/no_direct_root_logins/tests/correct.pass.sh | 3 +++
|
|
.../root_logins/no_direct_root_logins/tests/missing.fail.sh | 3 +++
|
|
.../root_logins/no_direct_root_logins/tests/wrong.fail.sh | 3 +++
|
|
3 files changed, 9 insertions(+)
|
|
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
|
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
|
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
|
|
|
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
|
new file mode 100644
|
|
index 0000000000..17251f6a98
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/correct.pass.sh
|
|
@@ -0,0 +1,3 @@
|
|
+#!/bin/bash
|
|
+
|
|
+echo > /etc/securetty
|
|
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
|
new file mode 100644
|
|
index 0000000000..c764814b26
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/missing.fail.sh
|
|
@@ -0,0 +1,3 @@
|
|
+#!/bin/bash
|
|
+
|
|
+rm -f /etc/securetty
|
|
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
|
new file mode 100644
|
|
index 0000000000..43ac341e87
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/tests/wrong.fail.sh
|
|
@@ -0,0 +1,3 @@
|
|
+#!/bin/bash
|
|
+
|
|
+echo "something" > /etc/securetty
|