starlingx/config-files
Code Issues Proposed changes
config-files/pam-config/source-debian/su
Rahul Roshan Kachchap ee258bc868 Fix: Ensure compliance with sudo and su security best practices 
This commit addresses the following security recommendations:

1. **5.2.2 Ensure sudo commands use pty**
   - Updated sudo configuration to enforce the use of a pseudo-terminal
     for all sudo commands. This ensures proper logging and enhances
     security by preventing certain attack vectors.

2. **5.2.3 Ensure sudo log file exists**
   - Configured sudo to log all command executions to
     `/var/log/sudo.log`.
   - Added log file creation and appropriate permissions to the package
     deployment process to prevent unauthorized access.

3. **5.2.7 Ensure access to the su command is restricted**
   - Added `/etc/pam.d/su` to restrict access to the `su` command to
     members of of the sys_admin group instead of the default wheel
     group.
   - Updated the PAM configuration templates and package installation
     scripts to ensure this change is consistently applied across all
     deployments.

Files Changed:
- `pam-config/source-debian/su`:
  - Added PAM configurations to restrict `su` command usage.
- `pam-config/debian/deb-folder/pam-config.install`
- `pam-config/debian/deb-folder/postinst`:
  - Included `su.pam` in package deployment.
- `sudo-config/files/sysadmin.sudo` (template):
  - Enabled `Defaults use_pty`.
  - Configured `Defaults logfile="/var/log/sudo.log"`.

TestPlan
PASS: build-pkgs -c -p sudo-config,pam-config
PASS: build-image
PASS: bootstrap
PASS: CIS benchmark SCAN
PASS: Verify su access for a user in sys_admin
      - Log in as a user that is a member of the sys_admin group
      - Run `su -`. Enter the root password when prompted
      - The user should successfully switch to root
PASS: Verify su access is denied for a user not in sys_admin
      - Log in as a user that is not a member of the sys_admin group
      - Run `su -`. Enter the root password when prompted
      - Access should be denied, displaying an authentication failure
        message.
PASS: Verify su access logs Are generated
      - Attempt su - from both allowed and denied users
      - The /var/log/auth.log logs should indicate successful and
        failed su attempts
PASS: Verify that a sys_admin group member can use su
      - Add a test user to the sys_admin group if not already a member
        `sudo usermod -aG sys_admin testuser`
      - Switch to the test user: `su - testuser`
      - Attempt to switch to root using su: `su -`
      - Should allow the switch without any errors
PASS: Verify that a non-member is denied
      - Switch to a user not in the sys_admin group
      - Attempt to use su: `su -`
      - Should see an error message like:
        su: Authentication failure

Story: 2011295
Task: 51389

Change-Id: I3d429ed9efcc00d72b70d8748e4303dd539399d4
Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
2025-02-03 00:32:47 -05:00

62 lines
2.3 KiB
Plaintext
Raw Permalink Blame History

#
# The PAM configuration file for the Shadow `su' service
#
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# Uncomment this to force users to be a member of group wheel
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "wheel" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so
# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust
# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth required pam_wheel.so deny group=nosu
auth required pam_wheel.so use_uid group=sys_admin
# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so
# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale
# Defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
#
# "nopen" stands to avoid reporting new mail when su'ing to another user
session optional pam_mail.so nopen
# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-session
View Git Blame Copy Permalink