AMAZON2-CIS
AMAZON2-CIS copied to clipboard
Task 1.4.2 Ensure authentication required for single user mode
Describe the Issue The following tasks are getting updated incorrectly as compared to CIS Workbench Documentation:
- name: "1.4.2 | PATCH | Ensure authentication required for single user mode | Emergency service"
lineinfile:
dest: /usr/lib/systemd/system/emergency.service
regexp: '/sbin/sulogin'
line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default'
- name: "1.4.2 | PATCH | Ensure authentication required for single user mode | Rescue service"
lineinfile:
dest: /usr/lib/systemd/system/rescue.service
regexp: '/sbin/sulogin'
line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default'
As per CIS Workbench (https://workbench.cisecurity.org/sections/839924/recommendations/1379214):
Remediation Procedure
Edit /usr/lib/systemd/system/rescue.service and /usr/lib/systemd/system/emergency.service and set ExecStart to use /sbin/sulogin or /usr/sbin/sulogin:
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
Expected Behavior
It suppose to update the rescue.service
and emergency.service
files with following line:
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
Actual Behavior
It is updating the rescue.service
and emergency.service
files with following line:
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default
Environment (please complete the following information):
- branch: Tag 1.2.1
Additional Notes If this change can be implemented, that will help us with fixing our Chef Inspec issues.
Possible Solution In order to fix the issue, in task 1.4.2, the following line:
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default
can be replaced with:
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"