This commit addresses the following security recommendations:
1. **5.2.2 Ensure sudo commands use pty**
- Updated sudo configuration to enforce the use of a pseudo-terminal
for all sudo commands. This ensures proper logging and enhances
security by preventing certain attack vectors.
2. **5.2.3 Ensure sudo log file exists**
- Configured sudo to log all command executions to
`/var/log/sudo.log`.
- Added log file creation and appropriate permissions to the package
deployment process to prevent unauthorized access.
3. **5.2.7 Ensure access to the su command is restricted**
- Added `/etc/pam.d/su` to restrict access to the `su` command to
members of of the sys_admin group instead of the default wheel
group.
- Updated the PAM configuration templates and package installation
scripts to ensure this change is consistently applied across all
deployments.
Files Changed:
- `pam-config/source-debian/su`:
- Added PAM configurations to restrict `su` command usage.
- `pam-config/debian/deb-folder/pam-config.install`
- `pam-config/debian/deb-folder/postinst`:
- Included `su.pam` in package deployment.
- `sudo-config/files/sysadmin.sudo` (template):
- Enabled `Defaults use_pty`.
- Configured `Defaults logfile="/var/log/sudo.log"`.
TestPlan
PASS: build-pkgs -c -p sudo-config,pam-config
PASS: build-image
PASS: bootstrap
PASS: CIS benchmark SCAN
PASS: Verify su access for a user in sys_admin
- Log in as a user that is a member of the sys_admin group
- Run `su -`. Enter the root password when prompted
- The user should successfully switch to root
PASS: Verify su access is denied for a user not in sys_admin
- Log in as a user that is not a member of the sys_admin group
- Run `su -`. Enter the root password when prompted
- Access should be denied, displaying an authentication failure
message.
PASS: Verify su access logs Are generated
- Attempt su - from both allowed and denied users
- The /var/log/auth.log logs should indicate successful and
failed su attempts
PASS: Verify that a sys_admin group member can use su
- Add a test user to the sys_admin group if not already a member
`sudo usermod -aG sys_admin testuser`
- Switch to the test user: `su - testuser`
- Attempt to switch to root using su: `su -`
- Should allow the switch without any errors
PASS: Verify that a non-member is denied
- Switch to a user not in the sys_admin group
- Attempt to use su: `su -`
- Should see an error message like:
su: Authentication failure
Story: 2011295
Task: 51389
Change-Id: I3d429ed9efcc00d72b70d8748e4303dd539399d4
Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
ee258bc868