Set Up a Private Namespace in PAM Configuration

An XCCDF Rule

Description

To setup a private namespace add the following line to /etc/pam.d/login:

session    required     pam_namespace.so

Rationale

The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both. The polyinstatied directories can be used to dedicate separate temporary directories to each account.

ID: xccdf_org.ssgproject.content_rule_enable_pam_namespace
Severity: Low
References: BP28(R39)

CCE-91505-8
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-91505-8
  - enable_pam_namespace  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

- name: Make changes to /etc/pam.d/login
  lineinfile:
    path: /etc/pam.d/login
    create: false
    regexp: ^\s*session\s+required\s+pam_namespace.so\s*$
    line: session    required     pam_namespace.so
    state: present
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-91505-8
  - enable_pam_namespace
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

if ! grep -Eq '^\s*session\s+required\s+pam_namespace.so\s*$' '/etc/pam.d/login' ; then
    echo "session    required     pam_namespace.so" >> "/etc/pam.d/login"
fi
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Set Up a Private Namespace in PAM Configuration

Description

Rationale

Remediation - Ansible

Remediation - Shell Script