From d60c5a0b861625bc1184b0ed3951e9d46fc1e256 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Fri, 4 Sep 2020 15:21:42 +0200
Subject: [PATCH 1/3] Add ansible remediation for sudo_remove_nopasswd.
Add test scenarios for sudo_remove_nopasswd.
---
.../sudo_remove_nopasswd/ansible/shared.yml | 21 +++++++++++++++++++
.../tests/correct_value.pass.sh | 6 ++++++
.../tests/wrong_value.fail.sh | 9 ++++++++
3 files changed, 36 insertions(+)
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
new file mode 100644
index 0000000000..ba0f9e78a6
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+- name: Find /etc/sudoers.d/ files
+ find:
+ paths:
+ - /etc/sudoers.d/
+ register: sudoers
+
+- name: "Remove lines containing NOPASSWD from sudoers files"
+ replace:
+ regexp: '(^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)'
+ replace: '# \g<1>'
+ path: "{{ item.path }}"
+ validate: /usr/sbin/visudo -cf %s
+ with_items:
+ - { path: /etc/sudoers }
+ - "{{ sudoers.files }}"
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..3a94382235
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+rm -f /etc/sudoers
+echo "%wheel ALL=(ALL) ALL" > /etc/sudoers
+chmod 440 /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..5b2eecd3be
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+chmod 440 /etc/sudoers
+
+mkdir /etc/sudoers.d/
+echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/sudoers
+chmod 440 /etc/sudoers.d/sudoers
From af0f8b73f84a1bd14a69295a04dd6520c56930ba Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 7 Sep 2020 16:25:40 +0200
Subject: [PATCH 2/3] Add bash remediation for sudo_remove_nopasswd.
---
.../sudo/sudo_remove_nopasswd/bash/shared.sh | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
new file mode 100644
index 0000000000..8c2f2f8240
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
@@ -0,0 +1,17 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
+ nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
+ if ! test -z "$nopasswd_list"; then
+ while IFS= read -r nopasswd_entry; do
+ # comment out "NOPASSWD:" matches to preserve user data
+ sed -i "s/^${nopasswd_entry}$/# &/g" $f
+ done <<< "$nopasswd_list"
+
+ /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+ fi
+done
From e6ebab404aa415e7308f112e2ac99e8ccd821aff Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 7 Sep 2020 17:53:53 +0200
Subject: [PATCH 3/3] Create bash and ansible macro for sudo related rules.
---
.../ansible/shared.yml | 7 +++++++
.../bash/shared.sh | 7 +++++++
.../tests/correct_value.pass.sh | 6 ++++++
.../tests/wrong_value.fail.sh | 9 +++++++++
.../sudo_remove_nopasswd/ansible/shared.yml | 16 +---------------
.../sudo/sudo_remove_nopasswd/bash/shared.sh | 12 +-----------
.../ansible/shared.yml | 9 +++++++++
.../bash/shared.sh | 9 +++++++++
.../tests/correct_value.pass.sh | 7 +++++++
.../tests/wrong_value.fail.sh | 11 +++++++++++
shared/macros-ansible.jinja | 19 +++++++++++++++++++
shared/macros-bash.jinja | 14 ++++++++++++++
12 files changed, 100 insertions(+), 26 deletions(-)
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/bash/shared.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..692f86a2df
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+rm -f /etc/sudoers
+echo "Defaults authenticate" > /etc/sudoers
+chmod 440 /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..2de9538865
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+echo "Defaults !authenticate" >> /etc/sudoers
+chmod 440 /etc/sudoers
+
+mkdir /etc/sudoers.d/
+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
+chmod 440 /etc/sudoers.d/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
index ba0f9e78a6..37937aeda7 100644
--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
@@ -4,18 +4,4 @@
# complexity = low
# disruption = low
-- name: Find /etc/sudoers.d/ files
- find:
- paths:
- - /etc/sudoers.d/
- register: sudoers
-
-- name: "Remove lines containing NOPASSWD from sudoers files"
- replace:
- regexp: '(^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)'
- replace: '# \g<1>'
- path: "{{ item.path }}"
- validate: /usr/sbin/visudo -cf %s
- with_items:
- - { path: /etc/sudoers }
- - "{{ sudoers.files }}"
+{{{ ansible_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
index 8c2f2f8240..cd4f829482 100644
--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
@@ -4,14 +4,4 @@
# complexity = low
# disruption = low
-for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
- nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
- if ! test -z "$nopasswd_list"; then
- while IFS= read -r nopasswd_entry; do
- # comment out "NOPASSWD:" matches to preserve user data
- sed -i "s/^${nopasswd_entry}$/# &/g" $f
- done <<< "$nopasswd_list"
-
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
- fi
-done
+{{{ bash_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..6d01825fa8
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_e8
+
+rm -f /etc/sudoers
+echo "%wheel ALL=(ALL) ALL" > /etc/sudoers
+echo "Defaults authenticate" > /etc/sudoers
+chmod 440 /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..a2942b97e7
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_e8
+
+echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
+echo "Defaults !authenticate" >> /etc/sudoers
+chmod 440 /etc/sudoers
+
+mkdir /etc/sudoers.d/
+echo "%wheel ALL=(ALL) !authenticate ALL" >> /etc/sudoers.d/sudoers
+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
+chmod 440 /etc/sudoers.d/sudoers