From d60c5a0b861625bc1184b0ed3951e9d46fc1e256 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Fri, 4 Sep 2020 15:21:42 +0200 Subject: [PATCH 1/3] Add ansible remediation for sudo_remove_nopasswd. Add test scenarios for sudo_remove_nopasswd. --- .../sudo_remove_nopasswd/ansible/shared.yml | 21 +++++++++++++++++++ .../tests/correct_value.pass.sh | 6 ++++++ .../tests/wrong_value.fail.sh | 9 ++++++++ 3 files changed, 36 insertions(+) create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml new file mode 100644 index 0000000000..ba0f9e78a6 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml @@ -0,0 +1,21 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +- name: Find /etc/sudoers.d/ files + find: + paths: + - /etc/sudoers.d/ + register: sudoers + +- name: "Remove lines containing NOPASSWD from sudoers files" + replace: + regexp: '(^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)' + replace: '# \g<1>' + path: "{{ item.path }}" + validate: /usr/sbin/visudo -cf %s + with_items: + - { path: /etc/sudoers } + - "{{ sudoers.files }}" diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh new file mode 100644 index 0000000000..3a94382235 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +rm -f /etc/sudoers +echo "%wheel ALL=(ALL) ALL" > /etc/sudoers +chmod 440 /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh new file mode 100644 index 0000000000..5b2eecd3be --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +chmod 440 /etc/sudoers + +mkdir /etc/sudoers.d/ +echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/sudoers +chmod 440 /etc/sudoers.d/sudoers From af0f8b73f84a1bd14a69295a04dd6520c56930ba Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 7 Sep 2020 16:25:40 +0200 Subject: [PATCH 2/3] Add bash remediation for sudo_remove_nopasswd. --- .../sudo/sudo_remove_nopasswd/bash/shared.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh new file mode 100644 index 0000000000..8c2f2f8240 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh @@ -0,0 +1,17 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do + nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) + if ! test -z "$nopasswd_list"; then + while IFS= read -r nopasswd_entry; do + # comment out "NOPASSWD:" matches to preserve user data + sed -i "s/^${nopasswd_entry}$/# &/g" $f + done <<< "$nopasswd_list" + + /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" + fi +done From e6ebab404aa415e7308f112e2ac99e8ccd821aff Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 7 Sep 2020 17:53:53 +0200 Subject: [PATCH 3/3] Create bash and ansible macro for sudo related rules. --- .../ansible/shared.yml | 7 +++++++ .../bash/shared.sh | 7 +++++++ .../tests/correct_value.pass.sh | 6 ++++++ .../tests/wrong_value.fail.sh | 9 +++++++++ .../sudo_remove_nopasswd/ansible/shared.yml | 16 +--------------- .../sudo/sudo_remove_nopasswd/bash/shared.sh | 12 +----------- .../ansible/shared.yml | 9 +++++++++ .../bash/shared.sh | 9 +++++++++ .../tests/correct_value.pass.sh | 7 +++++++ .../tests/wrong_value.fail.sh | 11 +++++++++++ shared/macros-ansible.jinja | 19 +++++++++++++++++++ shared/macros-bash.jinja | 14 ++++++++++++++ 12 files changed, 100 insertions(+), 26 deletions(-) create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/ansible/shared.yml create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/bash/shared.sh create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh new file mode 100644 index 0000000000..692f86a2df --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh @@ -0,0 +1,6 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +rm -f /etc/sudoers +echo "Defaults authenticate" > /etc/sudoers +chmod 440 /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh new file mode 100644 index 0000000000..2de9538865 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_stig + +echo "Defaults !authenticate" >> /etc/sudoers +chmod 440 /etc/sudoers + +mkdir /etc/sudoers.d/ +echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers +chmod 440 /etc/sudoers.d/sudoers diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml index ba0f9e78a6..37937aeda7 100644 --- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml +++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml @@ -4,18 +4,4 @@ # complexity = low # disruption = low -- name: Find /etc/sudoers.d/ files - find: - paths: - - /etc/sudoers.d/ - register: sudoers - -- name: "Remove lines containing NOPASSWD from sudoers files" - replace: - regexp: '(^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)' - replace: '# \g<1>' - path: "{{ item.path }}" - validate: /usr/sbin/visudo -cf %s - with_items: - - { path: /etc/sudoers } - - "{{ sudoers.files }}" +{{{ ansible_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}} diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh index 8c2f2f8240..cd4f829482 100644 --- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh +++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh @@ -4,14 +4,4 @@ # complexity = low # disruption = low -for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do - nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq ) - if ! test -z "$nopasswd_list"; then - while IFS= read -r nopasswd_entry; do - # comment out "NOPASSWD:" matches to preserve user data - sed -i "s/^${nopasswd_entry}$/# &/g" $f - done <<< "$nopasswd_list" - - /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo" - fi -done +{{{ bash_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}} diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh new file mode 100644 index 0000000000..6d01825fa8 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_e8 + +rm -f /etc/sudoers +echo "%wheel ALL=(ALL) ALL" > /etc/sudoers +echo "Defaults authenticate" > /etc/sudoers +chmod 440 /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh new file mode 100644 index 0000000000..a2942b97e7 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# profiles = xccdf_org.ssgproject.content_profile_e8 + +echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +echo "Defaults !authenticate" >> /etc/sudoers +chmod 440 /etc/sudoers + +mkdir /etc/sudoers.d/ +echo "%wheel ALL=(ALL) !authenticate ALL" >> /etc/sudoers.d/sudoers +echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers +chmod 440 /etc/sudoers.d/sudoers