The issue relates to Video Course for ROL415 - RH415-RHEL-7.5-en-1-20180830
The Comprehensive Review for 'RESTRICTING USB DEVICE ACCESS AND
MITIGATING RISK WITH SELINUX'
I think the Lab for usbguard-cr has some content issues.
Specifically this task:
On servere, create a new administrative devops user with redhat as password. Map
that user to a confined SELinux user to restrict su access, but make sure that the user can
use the sudo command, and is able to log in through ssh
The course solution is:
- to create a user with selinux confine user set to sysadm_u selinux
- Adding the user to wheel group (for sudo)
- Changing ssh_sysadm_login boolean because sysadm_u can not ssh by default - once - again this affects ALL users in sysadm_u
- Editing pam configuration to disable all wheel users access via su
In my opinion, this is NOT the best way to address the requirement. Because it makes global changes and doesn't make use of a selinux confine user which has the requirement baked in.
My method is below:
- I created a user in the staff_u group which automatically prevents su access but allows sudo
- This staff_u group has ssh access set by default so no global booleans need changing
- I then added a sudoers rule to permit the devops user access to run sudo commands
devops ALL=(ALL) ALL
- I haven't addressed the text 'administrative devops user' because this is a vague term, and with sudo access it has full administrative capability
I believe the above is the *right* way to address the requirements because:
No global settings need changing i.e. the system's security posture is unaffected
The changes are limited to the user in question
It makes use of the staff_u account native ability to disable su without needing a PAM hack
It failed the lab grading script.
I look forward to hearing from you.
