-
Notifications
You must be signed in to change notification settings - Fork 709
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #12835 from mpurg/ubuntu2404_cis_5.4.3.1
Add new rule no_nologin_in_shells
- Loading branch information
Showing
10 changed files
with
96 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 changes: 10 additions & 0 deletions
10
linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # platform = multi_platform_all | ||
| # reboot = false | ||
| # strategy = configure | ||
| # complexity = low | ||
| # disruption = low | ||
|
|
||
| if grep -q -E "^[^#]*/nologin\b.*$" /etc/shells; then | ||
| sed -i --follow-symlinks 's/^[^#]*\/nologin\b.*$/#&/g' /etc/shells | ||
| fi | ||
|
|
28 changes: 28 additions & 0 deletions
28
linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| <def-group> | ||
| <definition class="compliance" id="{{{ rule_id }}}" version="1"> | ||
| <metadata> | ||
| <title>Ensure nologin Shell is Not Listed in /etc/shells</title> | ||
| <affected family="unix"> | ||
| <platform>multi_platform_all</platform> | ||
| </affected> | ||
| <description>The nologin shell should not be listed in /etc/shells.</description> | ||
| </metadata> | ||
| <criteria> | ||
| <criterion comment="nologin not in /etc/shells" test_ref="test_{{{ rule_id }}}" /> | ||
| </criteria> | ||
| </definition> | ||
|
|
||
| <ind:textfilecontent54_test check="all" check_existence="none_exist" | ||
| comment="Check for nologin in /etc/shells" | ||
| id="test_{{{ rule_id }}}" version="1"> | ||
| <ind:object object_ref="obj_{{{ rule_id }}}"/> | ||
| </ind:textfilecontent54_test> | ||
|
|
||
| <ind:textfilecontent54_object id="obj_{{{ rule_id }}}" version="1"> | ||
| <ind:filepath>/etc/shells</ind:filepath> | ||
| <ind:pattern operation="pattern match">^[^#]*/nologin\b.*$</ind:pattern> | ||
| <ind:instance datatype="int" operation="greater than or equal">1</ind:instance> | ||
| </ind:textfilecontent54_object> | ||
| </def-group> | ||
|
|
||
|
|
24 changes: 24 additions & 0 deletions
24
linux_os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'Ensure nologin Shell is Not Listed in /etc/shells' | ||
|
|
||
| description: |- | ||
| The <tt>/sbin/nologin</tt> shell is used to restrict accounts from having login access | ||
| and should not be listed as a valid login shell in <tt>/etc/shells</tt>. | ||
| To verify that nologin is not listed in /etc/shells, run: | ||
| <pre>$ grep nologin /etc/shells</pre> | ||
| The command should return no output. | ||
| rationale: |- | ||
| The <tt>/etc/shells</tt> is consulted by various programs to evaluate | ||
| whether the user is somehow restricted. For example, the chsh utility will | ||
| consult the file to determine if the user is allowed to change their shell. | ||
| severity: medium | ||
|
|
||
| ocil_clause: 'nologin is listed in /etc/shells' | ||
|
|
||
| ocil: |- | ||
| To verify that nologin is not listed in /etc/shells, run: | ||
| <pre>$ grep nologin /etc/shells</pre> | ||
| The command should return no output. |
6 changes: 6 additions & 0 deletions
6
.../guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/commented.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| #!/bin/bash | ||
|
|
||
| sed -i --follow-symlinks '/nologin/d' /etc/shells | ||
| echo "#/sbin/nologin" >> /etc/shells | ||
|
|
||
|
|
6 changes: 6 additions & 0 deletions
6
..._os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/exists.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| #!/bin/bash | ||
|
|
||
| sed -i --follow-symlinks '/nologin/d' /etc/shells | ||
| echo "/sbin/nologin" >> /etc/shells | ||
|
|
||
|
|
5 changes: 5 additions & 0 deletions
5
...os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/missing.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| #!/bin/bash | ||
|
|
||
| sed -i --follow-symlinks '/nologin/d' /etc/shells | ||
|
|
||
|
|
7 changes: 7 additions & 0 deletions
7
...s/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/multiple.fail.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| #!/bin/bash | ||
|
|
||
| sed -i --follow-symlinks '/nologin/d' /etc/shells | ||
| echo "/sbin/nologin" >> /etc/shells | ||
| echo "/usr/sbin/nologin" >> /etc/shells | ||
|
|
||
|
|
6 changes: 6 additions & 0 deletions
6
...os/guide/system/accounts/accounts-restrictions/no_nologin_in_shells/tests/similar.pass.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| #!/bin/bash | ||
|
|
||
| sed -i --follow-symlinks '/nologin/d' /etc/shells | ||
| echo "/sbin/nologinormaybe" >> /etc/shells | ||
|
|
||
|
|