RHEL8-STIG
RHEL8-STIG copied to clipboard
ansible-lockdown
RHEL-08-010141: Unique Superuser Name for Maintenance | Non-Standard Configuration Method
Describe the Issue
Changes to the Superuser section of the grub.cfg file are done via /etc/grub.d/01_users. The RHEL8-STIG role currently applies these changes directly to the /boot/efi/EFI/redhat/grub.cfg which causes them to get overwritten when the grub.cfg is regenerated in later steps. If these changes were applied to the /etc/grub.d/01_users file instead, they would apply correctly.
Expected Behavior
Set rhel8stig_boot_superuser and have it apply, overwriting the default root configuration found in the 01_users file.
Actual Behavior
Changes are written to grub.cfg but are overwritten when the grub.cfg is recompiled, since the 01_users file takes precedence.
Control(s) Affected
RHEL-08-010141
Possible Solution
For just this control, the changes should instead be written to /etc/grub.d/01_users instead of the standard grub.cfg path.
OR
The default 01_users file should be deleted as part of the application of the STIG, to ensure the manual changes to the grub.cfg file are applied.
rhel8stig_boot_superuser: root is set in the defaults/main.yml
https://github.com/ansible-lockdown/RHEL8-STIG/blob/f062cac55b2fbd49ccf6a1e8b3b2404a5036bcf3/defaults/main.yml#L579
Then it's applied here. https://github.com/ansible-lockdown/RHEL8-STIG/blob/f062cac55b2fbd49ccf6a1e8b3b2404a5036bcf3/tasks/fix-cat2.yml#L293
My recommendation is check if rhel8stig_boot_superuser != 'root'
Similar to this https://github.com/ansible-lockdown/RHEL8-STIG/blob/f062cac55b2fbd49ccf6a1e8b3b2404a5036bcf3/tasks/main.yml#L74
If it rhel8stig_boot_superuser == root then fail.
@matthew-willis The issue is not so much that root is getting applied (obviously that would be a finding, sure) but the manner in which it is being applied.
The superuser name is being set directly into the /boot/efi/EFI/redhat/grub.cfg -- however by default, a configuration exists in /etc/grub.d/01_users (takes precedence) which gets written into /boot/efi/EFI/redhat/grub.cfg when it is recompiled... which means right now you can set the rhel8stig_boot_superuser to anything you want but it'll still get overwritten back to root from that 01_users file.
This line is the problem:
https://github.com/ansible-lockdown/RHEL8-STIG/blob/f062cac55b2fbd49ccf6a1e8b3b2404a5036bcf3/tasks/fix-cat2.yml#L297
Therefore, instead of writing those lineinfile items to the grub.cfg, they should be written to the /etc/grub.d/01_users file so that when the grub.cfg is compiled, they are propagated in correctly AND the old "root" default is overwritten. (Could even just go as far as doing a templated file for the 01_users, if desired.)
The line even mentions where this configuration should be coming from with the "BEGIN":
https://github.com/ansible-lockdown/RHEL8-STIG/blob/f062cac55b2fbd49ccf6a1e8b3b2404a5036bcf3/tasks/fix-cat2.yml#L303
However, I don't disagree that a flag to ensure the name has been changed from root is a good idea -- although it won't do anything and it'll keep getting reset to root until this configuration problem is solved.
Got it. Agree with your comment. I did this manually when the RHEL 7 STIG changed to this. Because prior, root was ok, but then later revision (I think v3r5) it changed to non-system account.
Personally, I like templates method :)
This issue is fixed in release 2.6.0, thank you for opening the issue!
-George
