Merge "Fix: Ensure compliance with sudo and su security best practices"

pam-config/debian/deb_folder/pam-config.install

@@ -5,3 +5,4 @@ common-session-noninteractive /usr/share/starlingx
 common-account /usr/share/starlingx
 faillock.conf /usr/share/starlingx
 pwquality.conf /usr/share/starlingx
+su /usr/share/starlingx

pam-config/debian/deb_folder/postinst

@@ -10,5 +10,6 @@ cp /usr/share/starlingx/common-session-noninteractive /etc/pam.d/common-session-
 cp /usr/share/starlingx/faillock.conf /etc/security/faillock.conf
 mkdir -p /etc/security/pwquality.conf.d
 cp /usr/share/starlingx/pwquality.conf /etc/security/pwquality.conf.d/50-pwquality.conf
+cp /usr/share/starlingx/su /etc/pam.d/su
 
 #DEBHELPER#

pam-config/source-debian/su

@@ -0,0 +1,61 @@
+#
+# The PAM configuration file for the Shadow `su' service
+#
+
+# This allows root to su without passwords (normal operation)
+auth       sufficient pam_rootok.so
+
+# Uncomment this to force users to be a member of group wheel
+# before they can use `su'. You can also add "group=foo"
+# to the end of this line if you want to use a group other
+# than the default "wheel" (but this may have side effect of
+# denying "root" user, unless she's a member of "foo" or explicitly
+# permitted earlier by e.g. "sufficient pam_rootok.so").
+# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
+# auth       required   pam_wheel.so
+
+# Uncomment this if you want wheel members to be able to
+# su without a password.
+# auth       sufficient pam_wheel.so trust
+
+# Uncomment this if you want members of a specific group to not
+# be allowed to use su at all.
+# auth       required   pam_wheel.so deny group=nosu
+auth required pam_wheel.so use_uid group=sys_admin
+
+# Uncomment and edit /etc/security/time.conf if you need to set
+# time restrainst on su usage.
+# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
+# as well as /etc/porttime)
+# account    requisite  pam_time.so
+
+# This module parses environment configuration file(s)
+# and also allows you to use an extended config
+# file /etc/security/pam_env.conf.
+#
+# parsing /etc/environment needs "readenv=1"
+session       required   pam_env.so readenv=1
+# locale variables are also kept into /etc/default/locale in etch
+# reading this file *in addition to /etc/environment* does not hurt
+session       required   pam_env.so readenv=1 envfile=/etc/default/locale
+
+# Defines the MAIL environment variable
+# However, userdel also needs MAIL_DIR and MAIL_FILE variables
+# in /etc/login.defs to make sure that removing a user
+# also removes the user's mail spool file.
+# See comments in /etc/login.defs
+#
+# "nopen" stands to avoid reporting new mail when su'ing to another user
+session    optional   pam_mail.so nopen
+
+# Sets up user limits according to /etc/security/limits.conf
+# (Replaces the use of /etc/limits in old login)
+session    required   pam_limits.so
+
+# The standard Unix authentication modules, used with
+# NIS (man nsswitch) as well as normal /etc/passwd and
+# /etc/shadow entries.
+@include common-auth
+@include common-account
+@include common-session
+

sudo-config/source-debian/sysadmin.sudo

@@ -10,3 +10,5 @@ sysadmin ALL=(root) NOPASSWD: /usr/local/sbin/collect
 
 Defaults lecture=never, secure_path=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
 Defaults passprompt="Password: "
+Defaults use_pty
+Defaults logfile="/var/log/sudo.log"