Merge pull request #12864 from vojtapolasek/require_singleuser_auth_u…

…pdate_prose require_singleuser_auth:update prose
ComplianceAsCode · Jan 21, 2025 · d038079 · d038079
2 parents 4016027 + f48da81
commit d038079
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 5 deletions.
diff --git a/...os/guide/system/accounts/accounts-physical/require_singleuser_auth/policy/stig/shared.yml b/...os/guide/system/accounts/accounts-physical/require_singleuser_auth/policy/stig/shared.yml
@@ -13,12 +13,21 @@ checktext: |-
 
     ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
 
-    If this line is not returned, or is commented out, this is a finding.
+    In case the output does not match, check if the <tt>ExecStart</tt> directive is not overridden:
+
+    grep ExecStart /etc/systemd/system/rescue.service.d/*.conf
+
+    The output should contain two lines:
+    ExecStart=
+    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+
+    If the line is not returned in any of cases mentioned above, or is commented out, this is a finding.
 
 fixtext: |-
     Configure {{{ full_name }}} to require authentication for single-user mode.
 
-    Add or modify the following line in the "/usr/lib/systemd/system/rescue.service" file:
+    Add following two lines to the file "/etc/systemd/system/rescue.service.d/10-remediation.conf":
 
+    ExecStart=
     ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
 
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -64,6 +64,17 @@ ocil: |-
         <pre>ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
     {{%- endif %}}
 
+    In case the output does not match, check if the <tt>ExecStart</tt> directive is not overridden:
+    <pre>grep ExecStart /etc/systemd/system/rescue.service.d/*.conf</pre>
+    The output should contain two lines:
+    <pre>ExecStart=
+    {{% if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
+    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</pre>
+    {{%- else -%}}
+    ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
+    {{%- endif %}}
+
+
     {{% if product not in ["ol8", "rhel8"] %}}
     Then, verify that the rescue service is in the runlevel1.target.
     Run the following command:
@@ -85,11 +96,12 @@ ocil: |-
 fixtext: |-
     Configure {{{ full_name }}} to require authentication in single user mode.
 
-    Add or update the following line in "/usr/lib/systemd/system/rescue.service":
+    Ensure that there are following two lines  in <tt>/etc/systemd/system/rescue.service.d/10-remediation.conf</tt>:
+    <pre>ExecStart=
     {{% if product in ["fedora", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
-    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue</pre>
     {{%- else -%}}
-    ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+    ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"</pre>
     {{%- endif %}}
 
 srg_requirement: '{{{ full_name }}} must require authentication upon booting into rescue mode.'