{"description": "By default, non-privileged users are given permissions to modify networking\ninterfaces and configurations using the <tt>nmcli</tt> command. Non-privileged\nusers should not be making configuration changes to network configurations. To\nensure that non-privileged users do not have permissions to make changes to the\nnetwork configuration using <tt>nmcli</tt>, create the following configuration in\n<tt>/etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla</tt>:\n<pre>\n[Disable General User Access to NetworkManager]\nIdentity=default\nAction=org.freedesktop.NetworkManager.*\nResultAny=no\nResultInactive=no\nResultActive=auth_admin\n</pre>", "rationale": "Allowing non-privileged users to make changes to network settings can allow\nuntrusted access, prevent system availability, and/or can lead to a compromise or\nattack.", "severity": "medium", "references": {"cui": ["3.1.16"], "nist": ["AC-18(4)", "CM-6(a)"], "ism": ["0418", "1055", "1402"], "pcidss4": ["1.2.8", "1.2"]}, "control_references": {"ism": ["0418", "1055", "1402"], "pcidss4": ["1.2.8", "1.2"]}, "components": [], "identifiers": {}, "ocil_clause": "non-privileged users can modify or change network settings", "ocil": "Using a non-privileged account, verify that users cannot modify or change\nnetwork settings with the <tt>nmcli</tt> command with the following command:\n<pre>$ nmcli general permissions</pre>\nThe output should contain the following:\n<pre>PERMISSION                                                        VALUE\norg.freedesktop.NetworkManager.enable-disable-network             auth\norg.freedesktop.NetworkManager.enable-disable-wifi                auth\norg.freedesktop.NetworkManager.enable-disable-wwan                auth\norg.freedesktop.NetworkManager.enable-disable-wimax               auth\norg.freedesktop.NetworkManager.sleep-wake                         auth\norg.freedesktop.NetworkManager.network-control                    auth\norg.freedesktop.NetworkManager.wifi.share.protected               auth\norg.freedesktop.NetworkManager.wifi.share.open                    auth\norg.freedesktop.NetworkManager.settings.modify.system             auth\norg.freedesktop.NetworkManager.settings.modify.own                auth\norg.freedesktop.NetworkManager.settings.modify.hostname           auth\norg.freedesktop.NetworkManager.settings.modify.global-dns         auth\norg.freedesktop.NetworkManager.reload                             auth\norg.freedesktop.NetworkManager.checkpoint-rollback                auth\norg.freedesktop.NetworkManager.enable-disable-statistics          auth\norg.freedesktop.NetworkManager.enable-disable-connectivity-check  auth\norg.freedesktop.NetworkManager.wifi.scan                          auth\n</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": ["package[polkit]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_polkit"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Prevent non-Privileged Users from Modifying Network Interfaces using nmcli", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network_nmcli_permissions/rule.yml", "template": null}