Skip to content

Prevent non-Privileged Users from Modifying Network Interfaces using nmcli

An XCCDF Rule

Description

By default, non-privileged users are given permissions to modify networking interfaces and configurations using the nmcli command. Non-privileged users should not be making configuration changes to network configurations. To ensure that non-privileged users do not have permissions to make changes to the network configuration using nmcli, create the following configuration in /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla:

[Disable General User Access to NetworkManager]
Identity=default
Action=org.freedesktop.NetworkManager.*
ResultAny=no
ResultInactive=no
ResultActive=auth_admin

Rationale

Allowing non-privileged users to make changes to network settings can allow untrusted access, prevent system availability, and/or can lead to a compromise or attack.

ID
xccdf_org.ssgproject.content_rule_network_nmcli_permissions
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-171-3.1.16
  - NIST-800-53-AC-18(4)

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q polkit; then

printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" > /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla

else