Prevent non-Privileged Users from Modifying Network Interfaces using nmcli
An XCCDF Rule
Description
By default, non-privileged users are given permissions to modify networking
interfaces and configurations using the nmcli
command. Non-privileged
users should not be making configuration changes to network configurations. To
ensure that non-privileged users do not have permissions to make changes to the
network configuration using nmcli
, create the following configuration in
/etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla
:
[Disable General User Access to NetworkManager] Identity=default Action=org.freedesktop.NetworkManager.* ResultAny=no ResultInactive=no ResultActive=auth_admin
Rationale
Allowing non-privileged users to make changes to network settings can allow untrusted access, prevent system availability, and/or can lead to a compromise or attack.
- ID
- xccdf_org.ssgproject.content_rule_network_nmcli_permissions
- Severity
- Medium
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q polkit; then
printf "[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n" > /etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla
else