put exec back to configure_bashrc_exec_tmux

[vojtapolasek]

Description:

• modify the rule so that the "exec" is used in the command
• remove it from RHEL 9 STIG and assign configure_bashrc_tmux instead

Rationale:

• the exec command in the rule plays quite an important role. If the exec is present, then exiting tmux will drop user into a login shell. Without exec, it will drop to regular shell, so that the screen locking mechanism might be not effective.

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux' differs.
--- ocil:ssg-configure_bashrc_exec_tmux_ocil:questionnaire:1
+++ ocil:ssg-configure_bashrc_exec_tmux_ocil:questionnaire:1
@@ -4,7 +4,7 @@
 
 $ sudo grep tmux /etc/bashrc /etc/profile.d/*
 
-/etc/profile.d/tmux.sh:  case "$name" in (sshd|login) tmux ;; esac
+/etc/profile.d/tmux.sh:  case "$name" in (sshd|login) exec tmux ;; esac
 
 Review the tmux script by using the following example:
 
@@ -13,7 +13,7 @@
 if [ "$PS1" ]; then
 parent=$(ps -o ppid= -p $$)
 name=$(ps -o comm= -p $parent)
-case "$name" in (sshd|login) tmux ;; esac
+case "$name" in (sshd|login) exec tmux ;; esac
 fi
 
 If the shell file is not configured as the example above, is commented out, or is missing, this is a finding.

bash remediation for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux' differs.
--- xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
+++ xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
@@ -1,12 +1,12 @@
 # Remediation is applicable only in certain platforms
 if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q tmux; }; then
 
-if ! grep -x '  case "$name" in sshd|login) tmux ;; esac' /etc/bashrc; then
+if ! grep -x '  case "$name" in sshd|login) exec tmux ;; esac' /etc/bashrc; then
     cat >> /etc/profile.d/tmux.sh <<'EOF'
 if [ "$PS1" ]; then
   parent=$(ps -o ppid= -p $$)
   name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) tmux ;; esac
+  case "$name" in sshd|login) exec tmux ;; esac
 fi
 EOF
     chmod 0644 /etc/profile.d/tmux.sh

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux' differs.
--- xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
+++ xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux
@@ -15,7 +15,7 @@
   ansible.builtin.find:
     paths: /etc
     patterns: bashrc
-    contains: .*case "$name" in sshd|login\) tmux ;; esac.*
+    contains: .*case "$name" in sshd|login\) exec tmux ;; esac.*
   register: tmux_in_bashrc
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
@@ -34,7 +34,7 @@
   ansible.builtin.find:
     paths: /etc/profile.d
     patterns: '*.sh'
-    contains: .*case "$name" in sshd|login\) tmux ;; esac.*
+    contains: .*case "$name" in sshd|login\) exec tmux ;; esac.*
   register: tmux_in_profile_d
   when:
   - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
@@ -55,7 +55,7 @@
       if [ "$PS1" ]; then
         parent=$(ps -o ppid= -p $$)
         name=$(ps -o comm= -p $parent)
-        case "$name" in sshd|login) tmux ;; esac
+        case "$name" in sshd|login) exec tmux ;; esac
       fi
     create: true
   when:

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[codeclimate]

Code Climate has analyzed commit ee739c5 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.4% (0.0% change).

View more on Code Climate.

[Mab879]

/retest-required

[Mab879]

LGTM.

Thanks!

[Mab879]

Waving Automatus for SLE15 as it appears not be applicable for the platform.