skyler / rpms / scap-security-guide

Forked from rpms/scap-security-guide 3 years ago
Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.53-update_stig_RHEL_07_010340-PR_6049.patch

c7 c7-alt c7-beta c8 c8-beta c8s
  1.   fe0dde01a42673c3eda1933c38a8f78dbff6c1de
  2.   SOURCES
  3.   scap-security-guide-0.1.53-update_stig_RHEL_07_010340-PR_6049.patch
Blob History Raw
fe0dde 
From d60c5a0b861625bc1184b0ed3951e9d46fc1e256 Mon Sep 17 00:00:00 2001
fe0dde 
From: Gabriel Becker <ggasparb@redhat.com>
fe0dde 
Date: Fri, 4 Sep 2020 15:21:42 +0200
fe0dde 
Subject: [PATCH 1/3] Add ansible remediation for sudo_remove_nopasswd.
fe0dde
fe0dde 
Add test scenarios for sudo_remove_nopasswd.
fe0dde 
---
fe0dde 
 .../sudo_remove_nopasswd/ansible/shared.yml   | 21 +++++++++++++++++++
fe0dde 
 .../tests/correct_value.pass.sh               |  6 ++++++
fe0dde 
 .../tests/wrong_value.fail.sh                 |  9 ++++++++
fe0dde 
 3 files changed, 36 insertions(+)
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
fe0dde
fe0dde 
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..ba0f9e78a6
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
fe0dde 
@@ -0,0 +1,21 @@
fe0dde 
+# platform = multi_platform_all
fe0dde 
+# reboot = false
fe0dde 
+# strategy = restrict
fe0dde 
+# complexity = low
fe0dde 
+# disruption = low
fe0dde 
+
fe0dde 
+- name: Find /etc/sudoers.d/ files
fe0dde 
+  find:
fe0dde 
+    paths:
fe0dde 
+      - /etc/sudoers.d/
fe0dde 
+  register: sudoers
fe0dde 
+
fe0dde 
+- name: "Remove lines containing NOPASSWD from sudoers files"
fe0dde 
+  replace:
fe0dde 
+    regexp: '(^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)'
fe0dde 
+    replace: '# \g<1>'
fe0dde 
+    path: "{{ item.path }}"
fe0dde 
+    validate: /usr/sbin/visudo -cf %s
fe0dde 
+  with_items:
fe0dde 
+    - { path: /etc/sudoers }
fe0dde 
+    - "{{ sudoers.files }}"
fe0dde 
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..3a94382235
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
fe0dde 
@@ -0,0 +1,6 @@
fe0dde 
+#!/bin/bash
fe0dde 
+# profiles = xccdf_org.ssgproject.content_profile_stig
fe0dde 
+
fe0dde 
+rm -f /etc/sudoers
fe0dde 
+echo "%wheel	ALL=(ALL)	ALL" > /etc/sudoers
fe0dde 
+chmod 440 /etc/sudoers
fe0dde 
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..5b2eecd3be
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
fe0dde 
@@ -0,0 +1,9 @@
fe0dde 
+#!/bin/bash
fe0dde 
+# profiles = xccdf_org.ssgproject.content_profile_stig
fe0dde 
+
fe0dde 
+echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
fe0dde 
+chmod 440 /etc/sudoers
fe0dde 
+
fe0dde 
+mkdir /etc/sudoers.d/
fe0dde 
+echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers.d/sudoers
fe0dde 
+chmod 440 /etc/sudoers.d/sudoers
fe0dde
fe0dde 
From af0f8b73f84a1bd14a69295a04dd6520c56930ba Mon Sep 17 00:00:00 2001
fe0dde 
From: Gabriel Becker <ggasparb@redhat.com>
fe0dde 
Date: Mon, 7 Sep 2020 16:25:40 +0200
fe0dde 
Subject: [PATCH 2/3] Add bash remediation for sudo_remove_nopasswd.
fe0dde
fe0dde 
---
fe0dde 
 .../sudo/sudo_remove_nopasswd/bash/shared.sh    | 17 +++++++++++++++++
fe0dde 
 1 file changed, 17 insertions(+)
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
fe0dde
fe0dde 
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..8c2f2f8240
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
fe0dde 
@@ -0,0 +1,17 @@
fe0dde 
+# platform = multi_platform_all
fe0dde 
+# reboot = false
fe0dde 
+# strategy = restrict
fe0dde 
+# complexity = low
fe0dde 
+# disruption = low
fe0dde 
+
fe0dde 
+for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
fe0dde 
+  nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
fe0dde 
+  if ! test -z "$nopasswd_list"; then
fe0dde 
+    while IFS= read -r nopasswd_entry; do
fe0dde 
+      # comment out "NOPASSWD:" matches to preserve user data
fe0dde 
+      sed -i "s/^${nopasswd_entry}$/# &/g" $f
fe0dde 
+    done <<< "$nopasswd_list"
fe0dde 
+
fe0dde 
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
fe0dde 
+  fi
fe0dde 
+done
fe0dde
fe0dde 
From e6ebab404aa415e7308f112e2ac99e8ccd821aff Mon Sep 17 00:00:00 2001
fe0dde 
From: Gabriel Becker <ggasparb@redhat.com>
fe0dde 
Date: Mon, 7 Sep 2020 17:53:53 +0200
fe0dde 
Subject: [PATCH 3/3] Create bash and ansible macro for sudo related rules.
fe0dde
fe0dde 
---
fe0dde 
 .../ansible/shared.yml                        |  7 +++++++
fe0dde 
 .../bash/shared.sh                            |  7 +++++++
fe0dde 
 .../tests/correct_value.pass.sh               |  6 ++++++
fe0dde 
 .../tests/wrong_value.fail.sh                 |  9 +++++++++
fe0dde 
 .../sudo_remove_nopasswd/ansible/shared.yml   | 16 +---------------
fe0dde 
 .../sudo/sudo_remove_nopasswd/bash/shared.sh  | 12 +-----------
fe0dde 
 .../ansible/shared.yml                        |  9 +++++++++
fe0dde 
 .../bash/shared.sh                            |  9 +++++++++
fe0dde 
 .../tests/correct_value.pass.sh               |  7 +++++++
fe0dde 
 .../tests/wrong_value.fail.sh                 | 11 +++++++++++
fe0dde 
 shared/macros-ansible.jinja                   | 19 +++++++++++++++++++
fe0dde 
 shared/macros-bash.jinja                      | 14 ++++++++++++++
fe0dde 
 12 files changed, 100 insertions(+), 26 deletions(-)
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/ansible/shared.yml
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/bash/shared.sh
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
fe0dde 
 create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
fe0dde
fe0dde 
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..692f86a2df
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
fe0dde 
@@ -0,0 +1,6 @@
fe0dde 
+#!/bin/bash
fe0dde 
+# profiles = xccdf_org.ssgproject.content_profile_stig
fe0dde 
+
fe0dde 
+rm -f /etc/sudoers
fe0dde 
+echo "Defaults authenticate" > /etc/sudoers
fe0dde 
+chmod 440 /etc/sudoers
fe0dde 
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..2de9538865
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
fe0dde 
@@ -0,0 +1,9 @@
fe0dde 
+#!/bin/bash
fe0dde 
+# profiles = xccdf_org.ssgproject.content_profile_stig
fe0dde 
+
fe0dde 
+echo "Defaults !authenticate" >> /etc/sudoers
fe0dde 
+chmod 440 /etc/sudoers
fe0dde 
+
fe0dde 
+mkdir /etc/sudoers.d/
fe0dde 
+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
fe0dde 
+chmod 440 /etc/sudoers.d/sudoers
fe0dde 
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
fe0dde 
index ba0f9e78a6..37937aeda7 100644
fe0dde 
--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
fe0dde 
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
fe0dde 
@@ -4,18 +4,4 @@
fe0dde 
 # complexity = low
fe0dde 
 # disruption = low
fe0dde
fe0dde 
-- name: Find /etc/sudoers.d/ files
fe0dde 
-  find:
fe0dde 
-    paths:
fe0dde 
-      - /etc/sudoers.d/
fe0dde 
-  register: sudoers
fe0dde 
-
fe0dde 
-- name: "Remove lines containing NOPASSWD from sudoers files"
fe0dde 
-  replace:
fe0dde 
-    regexp: '(^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)'
fe0dde 
-    replace: '# \g<1>'
fe0dde 
-    path: "{{ item.path }}"
fe0dde 
-    validate: /usr/sbin/visudo -cf %s
fe0dde 
-  with_items:
fe0dde 
-    - { path: /etc/sudoers }
fe0dde 
-    - "{{ sudoers.files }}"
fe0dde 
+{{{ ansible_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
fe0dde 
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
fe0dde 
index 8c2f2f8240..cd4f829482 100644
fe0dde 
--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
fe0dde 
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
fe0dde 
@@ -4,14 +4,4 @@
fe0dde 
 # complexity = low
fe0dde 
 # disruption = low
fe0dde
fe0dde 
-for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
fe0dde 
-  nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
fe0dde 
-  if ! test -z "$nopasswd_list"; then
fe0dde 
-    while IFS= read -r nopasswd_entry; do
fe0dde 
-      # comment out "NOPASSWD:" matches to preserve user data
fe0dde 
-      sed -i "s/^${nopasswd_entry}$/# &/g" $f
fe0dde 
-    done <<< "$nopasswd_list"
fe0dde 
-
fe0dde 
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
fe0dde 
-  fi
fe0dde 
-done
fe0dde 
+{{{ bash_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
fe0dde 
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..6d01825fa8
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
fe0dde 
@@ -0,0 +1,7 @@
fe0dde 
+#!/bin/bash
fe0dde 
+# profiles = xccdf_org.ssgproject.content_profile_e8
fe0dde 
+
fe0dde 
+rm -f /etc/sudoers
fe0dde 
+echo "%wheel	ALL=(ALL)	ALL" > /etc/sudoers
fe0dde 
+echo "Defaults authenticate" > /etc/sudoers
fe0dde 
+chmod 440 /etc/sudoers
fe0dde 
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
fe0dde 
new file mode 100644
fe0dde 
index 0000000000..a2942b97e7
fe0dde 
--- /dev/null
fe0dde 
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
fe0dde 
@@ -0,0 +1,11 @@
fe0dde 
+#!/bin/bash
fe0dde 
+# profiles = xccdf_org.ssgproject.content_profile_e8
fe0dde 
+
fe0dde 
+echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
fe0dde 
+echo "Defaults !authenticate" >> /etc/sudoers
fe0dde 
+chmod 440 /etc/sudoers
fe0dde 
+
fe0dde 
+mkdir /etc/sudoers.d/
fe0dde 
+echo "%wheel        ALL=(ALL)       !authenticate ALL" >> /etc/sudoers.d/sudoers
fe0dde 
+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
fe0dde 
+chmod 440 /etc/sudoers.d/sudoers

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation