Prevent non-Privileged Users from Modifying Network Interfaces using nmcli

An XCCDF Rule

Description

By default, non-privileged users are given permissions to modify networking interfaces and configurations using the nmcli command. Non-privileged users should not be making configuration changes to network configurations. To ensure that non-privileged users do not have permissions to make changes to the network configuration using nmcli, create the following configuration in /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla:

[Disable General User Access to NetworkManager]
Identity=default
Action=org.freedesktop.NetworkManager.*
ResultAny=no
ResultInactive=no
ResultActive=auth_admin

Rationale

Allowing non-privileged users to make changes to network settings can allow untrusted access, prevent system availability, and/or can lead to a compromise or attack.

ID: xccdf_org.ssgproject.content_rule_network_nmcli_permissions
Severity: Medium
References: 3.1.16

0418 1055 1402

AC-18(4) CM-6(a)

CCE-82178-5

1.2.8
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-82178-5
  - NIST-800-171-3.1.16  - NIST-800-53-AC-18(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-1.2.8
  - low_complexity
  - low_disruption
  - medium_severity
  - network_nmcli_permissions
  - no_reboot_needed
  - restrict_strategy

- name: Ensure non-privileged users do not have access to nmcli
  ini_file:
    path: /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla
    section: Disable General User Access to NetworkManager
    option: '{{ item.option }}'
    value: '{{ item.value }}'
    no_extra_spaces: true
    create: true
  loop:
  - option: Identity
    value: default
  - option: Action
    value: org.freedesktop.NetworkManager.*
  - option: ResultAny
    value: 'no'
  - option: ResultInactive
    value: 'no'
  - option: ResultActive
    value: auth_admin
  when: '"polkit" in ansible_facts.packages'
  tags:
  - CCE-82178-5
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(4)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-1.2.8
  - low_complexity
  - low_disruption
  - medium_severity
  - network_nmcli_permissions
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q polkit; then

printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" > /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Prevent non-Privileged Users from Modifying Network Interfaces using nmcli

Description

Rationale

Remediation - Ansible

Remediation - Shell Script