ryran/00-lockdown-local-users.rules

## 00-lockdown-local-users.rules
// Tested in RHEL7, modern Fedora (last edited 2018/04)
// Save to /etc/polkit-1/rules.d/

/*
This first rule prevents wheel group-members from becoming polkit admins.
    (NOTE: of course you should delete/comment this first rule if you want
     your wheel users to have unfettered access to the system, or if you
     have any other custom admin declarations.)
This overrides /etc/polkit-1/rules.d/50-default.rules which would otherwise
make it possible for wheel-group members to do all kinds of things, e.g.:
- pkexec (can spawn anything as root, e.g., "pkexec bash")
- gnome-system-monitor (can kill/renice root processes)
- firewall-cmd, firewall-config (can modify/raise/lower firewall)
- various cfg apps (datetime, users, keyboard, remote-login [disable sshd])
*/

polkit.addAdminRule(function(action, subject) {
    return ["null"];
});

/*
This next rule prevents local non-root users from rebooting/suspending or messing
with networking.
- Hide buttons in GNOME & GDM if they weren't already hidden by other means.
- Disable "systemctl <reboot|poweroff|suspend|hibernate|hybrid-sleep|kexec>" as
  well as legacy alias commands like reboot, poweroff, halt, shutdown.
- Lock down nmtui, nmcli, nm-connection-editor, and gnome-network-panel,
  any of which would otherwise allow to modify/delete/create/raise/lower.
*/

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.login1.suspend" ||
        action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
        action.id == "org.freedesktop.login1.power-off" ||
        action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
        action.id == "org.freedesktop.login1.reboot" ||
        action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
        action.id == "org.freedesktop.login1.hibernate" ||
        action.id == "org.freedesktop.login1.hibernate-multiple-sessions" ||
        action.id.indexOf("org.freedesktop.NetworkManager.") == 0) {
            return polkit.Result.NO;
    }
});
	// Tested in RHEL7, modern Fedora (last edited 2018/04)
	// Save to /etc/polkit-1/rules.d/

	/*
	This first rule prevents wheel group-members from becoming polkit admins.
	(NOTE: of course you should delete/comment this first rule if you want
	your wheel users to have unfettered access to the system, or if you
	have any other custom admin declarations.)
	This overrides /etc/polkit-1/rules.d/50-default.rules which would otherwise
	make it possible for wheel-group members to do all kinds of things, e.g.:
	- pkexec (can spawn anything as root, e.g., "pkexec bash")
	- gnome-system-monitor (can kill/renice root processes)
	- firewall-cmd, firewall-config (can modify/raise/lower firewall)
	- various cfg apps (datetime, users, keyboard, remote-login [disable sshd])
	*/

	polkit.addAdminRule(function(action, subject) {
	return ["null"];
	});

	/*
	This next rule prevents local non-root users from rebooting/suspending or messing
	with networking.
	- Hide buttons in GNOME & GDM if they weren't already hidden by other means.
	- Disable "systemctl <reboot\|poweroff\|suspend\|hibernate\|hybrid-sleep\|kexec>" as
	well as legacy alias commands like reboot, poweroff, halt, shutdown.
	- Lock down nmtui, nmcli, nm-connection-editor, and gnome-network-panel,
	any of which would otherwise allow to modify/delete/create/raise/lower.
	*/

	polkit.addRule(function(action, subject) {
	if (action.id == "org.freedesktop.login1.suspend" \|\|
	action.id == "org.freedesktop.login1.suspend-multiple-sessions" \|\|
	action.id == "org.freedesktop.login1.power-off" \|\|
	action.id == "org.freedesktop.login1.power-off-multiple-sessions" \|\|
	action.id == "org.freedesktop.login1.reboot" \|\|
	action.id == "org.freedesktop.login1.reboot-multiple-sessions" \|\|
	action.id == "org.freedesktop.login1.hibernate" \|\|
	action.id == "org.freedesktop.login1.hibernate-multiple-sessions" \|\|
	action.id.indexOf("org.freedesktop.NetworkManager.") == 0) {
	return polkit.Result.NO;
	}
	});