Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHEL 7.4: Too many setuid bits removed #140

Closed
duk3luk3 opened this issue Aug 7, 2017 · 2 comments
Closed

RHEL 7.4: Too many setuid bits removed #140

duk3luk3 opened this issue Aug 7, 2017 · 2 comments
Labels
bug help wanted

Comments

@duk3luk3
Copy link
Contributor

duk3luk3 commented Aug 7, 2017
edited
Loading

When running against RHEL 7.4 beta, these files have their setuid bits removed:

  • /usr/bin/su
  • /usr/sbin/netreport
  • /usr/libexec/openssh/ssh-keysign

This definitely breaks su. I don't know about the other files and if they should have setuid, but I suspect so.

I'll open a PR to add these files to the whitelist for RHEL 7.

As a workaround, add the files to the os_security_suid_sgid_whitelist var.

EDIT: I can't actually figure out how to apply the workaround - neither putting it into a group var nor in the playbook vars works... - I also don't know why it's acting as if os_security_suid_sgid_remove_from_unknown is set to true.

I am running ansibe 2.3.1.0, installed the role by doing git clone https://github.com/dev-sec/ansible-os-hardening.git dev-sec.os-hardening in /etc/ansible/roles, and this is my playbook:

- hosts: '*'
  roles:
    - dev-sec.os-hardening
@rndmh3ro rndmh3ro added the bug label Aug 7, 2017
@rndmh3ro
Copy link
Member

rndmh3ro commented Oct 1, 2017

Hey @duk3luk3, you're right about the su-binary, this should be fixed. Do you want to create a PR for this?

As for ssh-keysign: According to this mailinglist-entry, the binary is only used for host-based authentication, which should never be used (we also disable it in ssh-hardening). That's why it is in the blacklist.

as for netreport:

 netreport tells the network management scripts to send a SIGIO signal to the process which called netreport when any network interface status changes occur.

So removing thew SGID from that binary is OK in my opinion.

This was referenced Oct 16, 2018
Closed
Merged
@rndmh3ro
Copy link
Member

rndmh3ro commented Nov 9, 2018

fixed by #199

@rndmh3ro rndmh3ro closed this as completed Nov 9, 2018
rndmh3ro pushed a commit that referenced this issue Jul 24, 2020
Remove deprecated UseLogin option
d8a16f1 
Since OpenSSH 7.4/7.4p1 (2016-12-19)[0] (The default in Debian Stretch,
CentOS 7 and others) the "UseLogin" option has been deprecated.

Setting this option originally prevented usage of a "traditional"
/usr/sbin/login-based login – but has been set to "no" by default since
quite a while, so even if this role would be applied on a host with an
older OpenSSH version, the default value should still be save.

Fixes #140

0. https://www.openssh.com/txt/release-7.4
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
Remove deprecated UseLogin option
f14bd39 
Since OpenSSH 7.4/7.4p1 (2016-12-19)[0] (The default in Debian Stretch,
CentOS 7 and others) the "UseLogin" option has been deprecated.

Setting this option originally prevented usage of a "traditional"
/usr/sbin/login-based login – but has been set to "no" by default since
quite a while, so even if this role would be applied on a host with an
older OpenSSH version, the default value should still be save.

Fixes dev-sec#140

0. https://www.openssh.com/txt/release-7.4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@duk3luk3 @rndmh3ro