File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (52 lines) | stat: -rw-r--r-- 2,249 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
documentation_complete: true


title: 'Enable authselect'

description: |-
    Configure user authentication setup to use the <tt>authselect</tt> tool.
    If authselect profile is selected, the rule will enable the {{{ xccdf_value("var_authselect_profile") }}} profile.

rationale: |-
    Authselect is a successor to authconfig.
    It is a tool to select system authentication and identity sources from a list of supported
    profiles instead of letting the administrator manually build the PAM stack.

    That way, it avoids potential breakage of configuration, as it ships several tested profiles
    that are well tested and supported to solve different use-cases.

severity: medium

identifiers:
    cce@rhel8: CCE-88248-0
    cce@rhel9: CCE-89732-2
    cce@rhel10: CCE-87407-3

references:
    hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)  # taken from require_singleuser_auth
    nist: AC-3
    ospp: FIA_UAU.1,FIA_AFL.1
    srg: SRG-OS-000480-GPOS-00227

ocil_clause: 'authselect is not used to manage user authentication setup on the system'

ocil: |-
    Verify that <tt>authselect</tt> is enabled by running
    <pre>authselect current</pre>
    If authselect is enabled on the system, the output should show the ID of the profile which is currently in use.

fixtext: |-
    Configure {{{ full_name }}} to select an authselect profile if one is not already selected.
    Use the following command to enable the {{{ xccdf_value("var_authselect_profile") }}} profile:

    sudo authselect select {{{ xccdf_value("var_authselect_profile") }}}

srg_requirement: '{{{ full_name }}} must use authselect to manage PAM settings'

warnings:
    - general: |-
       If the <tt>sudo authselect select</tt> command returns an error informing that the chosen
       profile cannot be selected, it is probably because PAM files have already been modified by
       the administrator. If this is the case, in order to not overwrite the desired changes made
       by the administrator, the current PAM settings should be investigated before forcing the
       selection of the chosen authselect profile.