Blame SOURCES/scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch

07cb6b
From 19bd5adfd804590b15e42cc75287b792706286d5 Mon Sep 17 00:00:00 2001
07cb6b
From: Watson Sato <wsato@redhat.com>
07cb6b
Date: Thu, 10 Feb 2022 15:25:06 +0100
07cb6b
Subject: [PATCH 1/9] Add rule to check for default sudoers includedir
07cb6b
07cb6b
This rule supports RHEL-08-010379.
07cb6b
---
07cb6b
 .../ansible/shared.yml                        |  7 ++++
07cb6b
 .../sudoers_default_includedir/bash/shared.sh | 11 ++++++
07cb6b
 .../oval/shared.xml                           | 23 +++++++++++
07cb6b
 .../sudo/sudoers_default_includedir/rule.yml  | 38 +++++++++++++++++++
07cb6b
 .../tests/default_includedir.pass.sh          |  7 ++++
07cb6b
 .../tests/duplicate_includedir.fail.sh        |  7 ++++
07cb6b
 .../tests/no_includedir.fail.sh               |  4 ++
07cb6b
 .../tests/two_includedir.fail.sh              |  8 ++++
07cb6b
 shared/references/cce-redhat-avail.txt        |  3 --
07cb6b
 9 files changed, 105 insertions(+), 3 deletions(-)
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
07cb6b
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
07cb6b
new file mode 100644
07cb6b
index 00000000000..d9d5933285f
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
07cb6b
@@ -0,0 +1,7 @@
07cb6b
+# platform = multi_platform_all
07cb6b
+# # reboot = false
07cb6b
+# # strategy = configure
07cb6b
+# # complexity = low
07cb6b
+# # disruption = low
07cb6b
+
07cb6b
+{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
new file mode 100644
07cb6b
index 00000000000..3a9e2da985b
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
@@ -0,0 +1,11 @@
07cb6b
+# platform = multi_platform_all
07cb6b
+
07cb6b
+sudoers_config_file="/etc/sudoers"
07cb6b
+sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
07cb6b
+if [ "$sudoers_includedir_count" -gt 1 ]; then
07cb6b
+    sed -i "/#includedir.*/d" "$sudoers_config_file"
07cb6b
+    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
07cb6b
+fi
07cb6b
+if [ "$sudoers_includedir_count" -eq 0 ]; then
07cb6b
+    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
07cb6b
+fi
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
07cb6b
new file mode 100644
07cb6b
index 00000000000..5618c64291c
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
07cb6b
@@ -0,0 +1,23 @@
07cb6b
+<def-group>
07cb6b
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
07cb6b
+    {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
07cb6b
+    <criteria operator="AND">
07cb6b
+      <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
07cb6b
+    </criteria>
07cb6b
+  </definition>
07cb6b
+
07cb6b
+  
07cb6b
+      comment="audit augenrules rmmod" id="test_sudoers_default_includedir" version="1">
07cb6b
+    <ind:object object_ref="object_sudoers_default_includedir" />
07cb6b
+    <ind:state state_ref="state_sudoers_default_includedir" />
07cb6b
+  </ind:textfilecontent54_test>
07cb6b
+  <ind:textfilecontent54_object id="object_sudoers_default_includedir" version="1">
07cb6b
+    <ind:filepath>/etc/sudoers</ind:filepath>
07cb6b
+    <ind:pattern operation="pattern match">^#includedir[\s]+(.*)$</ind:pattern>
07cb6b
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
07cb6b
+  </ind:textfilecontent54_object>
07cb6b
+  <ind:textfilecontent54_state id="state_sudoers_default_includedir" version="1">
07cb6b
+    <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
07cb6b
+  </ind:textfilecontent54_state>
07cb6b
+
07cb6b
+</def-group>
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
07cb6b
new file mode 100644
07cb6b
index 00000000000..5c33121f911
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
07cb6b
@@ -0,0 +1,38 @@
07cb6b
+documentation_complete: true
07cb6b
+
07cb6b
+prodtype: fedora,rhel7,rhel8,rhel9
07cb6b
+
07cb6b
+title: 'Ensure sudo only includes the default configuration directory'
07cb6b
+
07cb6b
+description: |-
07cb6b
+    Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
07cb6b
+    other directories and configuration files from the file currently being parsed.
07cb6b
+  
07cb6b
+    Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
07cb6b
+    The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
07cb6b
+    <tt>/etc/sudoers.d</tt>
07cb6b
+    Note that the '#' character doesn't denote a comment in the configuration file.
07cb6b
+
07cb6b
+rationale: |-
07cb6b
+   Some <tt>sudo</tt> configurtion options allow users to run programs without re-authenticating.
07cb6b
+   Use of these configuration options makes it easier for one compromised accound to be used to
07cb6b
+   compromise other accounts.
07cb6b
+
07cb6b
+severity: medium
07cb6b
+
07cb6b
+identifiers:
07cb6b
+    cce@rhel7: CCE-86277-1
07cb6b
+    cce@rhel8: CCE-86377-9
07cb6b
+    cce@rhel9: CCE-86477-7
07cb6b
+
07cb6b
+references:
07cb6b
+    disa: CCI-000366
07cb6b
+    stigid@rhel8: RHEL-08-010379
07cb6b
+
07cb6b
+ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
07cb6b
+
07cb6b
+ocil: |-
07cb6b
+    To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
07cb6b
+    run the following command:
07cb6b
+    
$ sudo grep 'include' /etc/sudoers
07cb6b
+    If only the line <tt>#includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly.
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
07cb6b
new file mode 100644
07cb6b
index 00000000000..ac0c808ccd6
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
07cb6b
@@ -0,0 +1,7 @@
07cb6b
+#!/bin/bash
07cb6b
+# platform = multi_platform_all
07cb6b
+
07cb6b
+# Ensure default config is there
07cb6b
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
07cb6b
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
07cb6b
+fi
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
07cb6b
new file mode 100644
07cb6b
index 00000000000..5bad8225625
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
07cb6b
@@ -0,0 +1,7 @@
07cb6b
+#!/bin/bash
07cb6b
+# platform = multi_platform_all
07cb6b
+
07cb6b
+# duplicate default entry
07cb6b
+if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
07cb6b
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
07cb6b
+fi
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
07cb6b
new file mode 100644
07cb6b
index 00000000000..1e0ab8aea92
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
07cb6b
@@ -0,0 +1,4 @@
07cb6b
+#!/bin/bash
07cb6b
+# platform = multi_platform_all
07cb6b
+
07cb6b
+sed -i "/#includedir.*/d" /etc/sudoers
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
07cb6b
new file mode 100644
07cb6b
index 00000000000..09d14eab630
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
07cb6b
@@ -0,0 +1,8 @@
07cb6b
+#!/bin/bash
07cb6b
+# platform = multi_platform_all
07cb6b
+
07cb6b
+# Ensure that there are two different indludedirs
07cb6b
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
07cb6b
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
07cb6b
+fi
07cb6b
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
07cb6b
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
07cb6b
index 41caad9f0d0..f2990adb537 100644
07cb6b
--- a/shared/references/cce-redhat-avail.txt
07cb6b
+++ b/shared/references/cce-redhat-avail.txt
07cb6b
@@ -340,7 +340,6 @@ CCE-86273-0
07cb6b
 CCE-86274-8
07cb6b
 CCE-86275-5
07cb6b
 CCE-86276-3
07cb6b
-CCE-86277-1
07cb6b
 CCE-86278-9
07cb6b
 CCE-86279-7
07cb6b
 CCE-86281-3
07cb6b
@@ -428,7 +427,6 @@ CCE-86373-8
07cb6b
 CCE-86374-6
07cb6b
 CCE-86375-3
07cb6b
 CCE-86376-1
07cb6b
-CCE-86377-9
07cb6b
 CCE-86378-7
07cb6b
 CCE-86379-5
07cb6b
 CCE-86380-3
07cb6b
@@ -524,7 +522,6 @@ CCE-86473-6
07cb6b
 CCE-86474-4
07cb6b
 CCE-86475-1
07cb6b
 CCE-86476-9
07cb6b
-CCE-86477-7
07cb6b
 CCE-86478-5
07cb6b
 CCE-86479-3
07cb6b
 CCE-86480-1
07cb6b
07cb6b
From 99fe46922243e8dff5822e2ed6eb49addd000baa Mon Sep 17 00:00:00 2001
07cb6b
From: Watson Sato <wsato@redhat.com>
07cb6b
Date: Thu, 10 Feb 2022 16:21:46 +0100
07cb6b
Subject: [PATCH 2/9] Select rule in RHEL8 STIG
07cb6b
07cb6b
Select sudoers_default_indludedir aligning to RHEL8 STIG V1R5
07cb6b
---
07cb6b
 products/rhel8/profiles/stig.profile | 3 +++
07cb6b
 1 file changed, 3 insertions(+)
07cb6b
07cb6b
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
07cb6b
index d92bc72971c..e13bda7a787 100644
07cb6b
--- a/products/rhel8/profiles/stig.profile
07cb6b
+++ b/products/rhel8/profiles/stig.profile
07cb6b
@@ -271,6 +271,9 @@ selections:
07cb6b
     # RHEL-08-010376
07cb6b
     - sysctl_kernel_perf_event_paranoid
07cb6b
 
07cb6b
+    # RHEL-08-010379
07cb6b
+    - sudoers_default_includedir
07cb6b
+
07cb6b
     # RHEL-08-010380
07cb6b
     - sudo_remove_nopasswd
07cb6b
 
07cb6b
07cb6b
From 3686fe72a6e27049f1c46d0a4efa07e1b42b6a20 Mon Sep 17 00:00:00 2001
07cb6b
From: Watson Sato <wsato@redhat.com>
07cb6b
Date: Thu, 10 Feb 2022 17:26:59 +0100
07cb6b
Subject: [PATCH 3/9] Add test and fix for case when the single includedir is
07cb6b
 wrong
07cb6b
07cb6b
---
07cb6b
 .../sudo/sudoers_default_includedir/bash/shared.sh         | 7 +++++--
07cb6b
 .../tests/wrong_includedir.fail.sh                         | 5 +++++
07cb6b
 2 files changed, 10 insertions(+), 2 deletions(-)
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
07cb6b
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
index 3a9e2da985b..258af02c121 100644
07cb6b
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
@@ -5,7 +5,10 @@ sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
07cb6b
 if [ "$sudoers_includedir_count" -gt 1 ]; then
07cb6b
     sed -i "/#includedir.*/d" "$sudoers_config_file"
07cb6b
     echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
07cb6b
-fi
07cb6b
-if [ "$sudoers_includedir_count" -eq 0 ]; then
07cb6b
+elif [ "$sudoers_includedir_count" -eq 0 ]; then
07cb6b
     echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
07cb6b
+else
07cb6b
+    if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then
07cb6b
+        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers
07cb6b
+    fi
07cb6b
 fi
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
07cb6b
new file mode 100644
07cb6b
index 00000000000..55a072adf3c
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
07cb6b
@@ -0,0 +1,5 @@
07cb6b
+#!/bin/bash
07cb6b
+# platform = multi_platform_all
07cb6b
+
07cb6b
+sed -i "/#includedir.*/d" /etc/sudoers
07cb6b
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
07cb6b
07cb6b
From 0b20b495ed82cead1a033170b900c13da5260603 Mon Sep 17 00:00:00 2001
07cb6b
From: Watson Sato <wsato@redhat.com>
07cb6b
Date: Mon, 14 Feb 2022 14:50:11 +0100
07cb6b
Subject: [PATCH 4/9] Add tests for sudo file and dir includes in
07cb6b
 /etc/sudoers.d
07cb6b
07cb6b
---
07cb6b
 .../tests/sudoers.d_with_include.fail.sh              |  9 +++++++++
07cb6b
 .../tests/sudoers.d_with_includedir.fail.sh           |  9 +++++++++
07cb6b
 .../tests/sudoers_with_include.fail.sh                | 11 +++++++++++
07cb6b
 3 files changed, 29 insertions(+)
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
07cb6b
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
07cb6b
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
07cb6b
new file mode 100644
07cb6b
index 00000000000..554ef2e060d
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
07cb6b
@@ -0,0 +1,9 @@
07cb6b
+#!/bin/bash
07cb6b
+# platform = multi_platform_all
07cb6b
+
07cb6b
+# Ensure default config is there
07cb6b
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
07cb6b
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
07cb6b
+fi
07cb6b
+
07cb6b
+echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
07cb6b
new file mode 100644
07cb6b
index 00000000000..516b68b5a3e
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
07cb6b
@@ -0,0 +1,9 @@
07cb6b
+#!/bin/bash
07cb6b
+# platform = multi_platform_all
07cb6b
+
07cb6b
+# Ensure default config is there
07cb6b
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
07cb6b
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
07cb6b
+fi
07cb6b
+
07cb6b
+echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
07cb6b
new file mode 100644
07cb6b
index 00000000000..ad04880e334
07cb6b
--- /dev/null
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
07cb6b
@@ -0,0 +1,11 @@
07cb6b
+#!/bin/bash
07cb6b
+# platform = multi_platform_all
07cb6b
+
07cb6b
+# Ensure default config is there
07cb6b
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
07cb6b
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
07cb6b
+fi
07cb6b
+
07cb6b
+if ! grep -q "#include " /etc/sudoers; then
07cb6b
+    echo "#include /etc/my-sudoers" >> /etc/sudoers
07cb6b
+fi
07cb6b
07cb6b
From d91e3eefe6c265c27634cb15b0f276a298f81645 Mon Sep 17 00:00:00 2001
07cb6b
From: Watson Sato <wsato@redhat.com>
07cb6b
Date: Mon, 14 Feb 2022 14:59:18 +0100
07cb6b
Subject: [PATCH 5/9] Update rule catch and remove other sudo includes
07cb6b
07cb6b
Any other #include or #includedir besides:
07cb6b
"/etc/sudoers: #includedir /etc/sudoers.d" should be removed.
07cb6b
---
07cb6b
 .../ansible/shared.yml                        | 14 +++++++++++
07cb6b
 .../sudoers_default_includedir/bash/shared.sh |  7 ++++--
07cb6b
 .../oval/shared.xml                           | 23 +++++++++++++++++++
07cb6b
 .../sudo/sudoers_default_includedir/rule.yml  |  7 +++---
07cb6b
 4 files changed, 46 insertions(+), 5 deletions(-)
07cb6b
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
07cb6b
index d9d5933285f..175a447e0d9 100644
07cb6b
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
07cb6b
@@ -5,3 +5,17 @@
07cb6b
 # # disruption = low
07cb6b
 
07cb6b
 {{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
07cb6b
+{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
07cb6b
+- name: "Find out if /etc/sudoers.d/* files contain file or directory includes"
07cb6b
+  find:
07cb6b
+    path: "/etc/sudoers.d"
07cb6b
+    patterns: "*"
07cb6b
+    contains: '^#include(dir)?\s.*$'
07cb6b
+  register: sudoers_d_includes
07cb6b
+
07cb6b
+- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files"
07cb6b
+  lineinfile:
07cb6b
+    path: "{{ item.path }}"
07cb6b
+    regexp: '^#include(dir)?\s.*$'
07cb6b
+    state: absent
07cb6b
+  with_items: "{{ sudoers_d_includes.files }}"
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
index 258af02c121..2d00b471677 100644
07cb6b
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
@@ -1,6 +1,7 @@
07cb6b
 # platform = multi_platform_all
07cb6b
 
07cb6b
 sudoers_config_file="/etc/sudoers"
07cb6b
+sudoers_config_dir="/etc/sudoers.d"
07cb6b
 sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
07cb6b
 if [ "$sudoers_includedir_count" -gt 1 ]; then
07cb6b
     sed -i "/#includedir.*/d" "$sudoers_config_file"
07cb6b
@@ -8,7 +9,9 @@ if [ "$sudoers_includedir_count" -gt 1 ]; then
07cb6b
 elif [ "$sudoers_includedir_count" -eq 0 ]; then
07cb6b
     echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
07cb6b
 else
07cb6b
-    if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then
07cb6b
-        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers
07cb6b
+    if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
07cb6b
+        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
07cb6b
     fi
07cb6b
 fi
07cb6b
+sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/*
07cb6b
+sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/*
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
07cb6b
index 5618c64291c..59cab0b89de 100644
07cb6b
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
07cb6b
@@ -3,6 +3,8 @@
07cb6b
     {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
07cb6b
     <criteria operator="AND">
07cb6b
       <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
07cb6b
+      <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
07cb6b
+      <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
07cb6b
     </criteria>
07cb6b
   </definition>
07cb6b
 
07cb6b
@@ -20,4 +22,25 @@
07cb6b
     <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
07cb6b
   </ind:textfilecontent54_state>
07cb6b
 
07cb6b
+  
07cb6b
+      comment="audit augenrules rmmod" id="test_sudoers_without_include" version="1">
07cb6b
+    <ind:object object_ref="object_sudoers_without_include" />
07cb6b
+  </ind:textfilecontent54_test>
07cb6b
+  <ind:textfilecontent54_object id="object_sudoers_without_include" version="1">
07cb6b
+    <ind:filepath>/etc/sudoers</ind:filepath>
07cb6b
+    <ind:pattern operation="pattern match">^#include[\s]+.*$</ind:pattern>
07cb6b
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
07cb6b
+  </ind:textfilecontent54_object>
07cb6b
+
07cb6b
+  
07cb6b
+      comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
07cb6b
+    <ind:object object_ref="object_sudoersd_without_includes" />
07cb6b
+  </ind:textfilecontent54_test>
07cb6b
+  <ind:textfilecontent54_object id="object_sudoersd_without_includes" version="1">
07cb6b
+    <ind:path>/etc/sudoers.d/</ind:path>
07cb6b
+    <ind:filename operation="pattern match">.*</ind:filename>
07cb6b
+    <ind:pattern operation="pattern match">^#include(dir)?[\s]+.*$</ind:pattern>
07cb6b
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
07cb6b
+  </ind:textfilecontent54_object>
07cb6b
+
07cb6b
 </def-group>
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
07cb6b
index 5c33121f911..3a8c22ac8af 100644
07cb6b
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
07cb6b
@@ -10,7 +10,7 @@ description: |-
07cb6b
   
07cb6b
     Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
07cb6b
     The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
07cb6b
-    <tt>/etc/sudoers.d</tt>
07cb6b
+    <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
07cb6b
     Note that the '#' character doesn't denote a comment in the configuration file.
07cb6b
 
07cb6b
 rationale: |-
07cb6b
@@ -34,5 +34,6 @@ ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other
07cb6b
 ocil: |-
07cb6b
     To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
07cb6b
     run the following command:
07cb6b
-    
$ sudo grep 'include' /etc/sudoers
07cb6b
-    If only the line <tt>#includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly.
07cb6b
+    
$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d
07cb6b
+    If only the line <tt>/etc/sudoers:#includedir /etc/sudoers.d</tt> is returned, then the drop-in include configuration is set correctly.
07cb6b
+    Any other line returned is a finding.
07cb6b
07cb6b
From ead72b744f1fc03893184079c079df27780044c2 Mon Sep 17 00:00:00 2001
07cb6b
From: Watson Sato <wsato@redhat.com>
07cb6b
Date: Mon, 14 Feb 2022 15:00:46 +0100
07cb6b
Subject: [PATCH 6/9] Add SRG to sudoers_default_includedir
07cb6b
07cb6b
---
07cb6b
 .../system/software/sudo/sudoers_default_includedir/rule.yml     | 1 +
07cb6b
 1 file changed, 1 insertion(+)
07cb6b
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
07cb6b
index 3a8c22ac8af..a97bd3efb2c 100644
07cb6b
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
07cb6b
@@ -27,6 +27,7 @@ identifiers:
07cb6b
 
07cb6b
 references:
07cb6b
     disa: CCI-000366
07cb6b
+    srg: SRG-OS-000480-GPOS-00227
07cb6b
     stigid@rhel8: RHEL-08-010379
07cb6b
 
07cb6b
 ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
07cb6b
07cb6b
From c1a08fe6b8e6388b89b190ca74e57af06e7c999c Mon Sep 17 00:00:00 2001
07cb6b
From: Watson Sato <wsato@redhat.com>
07cb6b
Date: Mon, 14 Feb 2022 16:12:32 +0100
07cb6b
Subject: [PATCH 7/9] Update RHEL8 STIG profile stability data
07cb6b
07cb6b
---
07cb6b
 tests/data/profile_stability/rhel8/stig.profile     | 1 +
07cb6b
 tests/data/profile_stability/rhel8/stig_gui.profile | 1 +
07cb6b
 2 files changed, 2 insertions(+)
07cb6b
07cb6b
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
07cb6b
index e4fee44f9f9..974b28757e9 100644
07cb6b
--- a/tests/data/profile_stability/rhel8/stig.profile
07cb6b
+++ b/tests/data/profile_stability/rhel8/stig.profile
07cb6b
@@ -365,6 +365,7 @@ selections:
07cb6b
 - sudo_remove_nopasswd
07cb6b
 - sudo_require_reauthentication
07cb6b
 - sudo_restrict_privilege_elevation_to_authorized
07cb6b
+- sudoers_default_includedir
07cb6b
 - sudoers_validate_passwd
07cb6b
 - sysctl_crypto_fips_enabled
07cb6b
 - sysctl_fs_protected_hardlinks
07cb6b
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
07cb6b
index 83d04775e3a..99e0af4f5a6 100644
07cb6b
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
07cb6b
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
07cb6b
@@ -376,6 +376,7 @@ selections:
07cb6b
 - sudo_remove_nopasswd
07cb6b
 - sudo_require_reauthentication
07cb6b
 - sudo_restrict_privilege_elevation_to_authorized
07cb6b
+- sudoers_default_includedir
07cb6b
 - sudoers_validate_passwd
07cb6b
 - sysctl_crypto_fips_enabled
07cb6b
 - sysctl_fs_protected_hardlinks
07cb6b
07cb6b
From adae3ecbda4362e23cd1f30e053db37d6a1d403b Mon Sep 17 00:00:00 2001
07cb6b
From: Watson Sato <wsato@redhat.com>
07cb6b
Date: Mon, 14 Feb 2022 16:59:22 +0100
07cb6b
Subject: [PATCH 8/9] Fix Ansible remediation metadata
07cb6b
07cb6b
---
07cb6b
 .../sudo/sudoers_default_includedir/ansible/shared.yml    | 8 ++++----
07cb6b
 1 file changed, 4 insertions(+), 4 deletions(-)
07cb6b
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
07cb6b
index 175a447e0d9..0d8c9e75184 100644
07cb6b
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
07cb6b
@@ -1,8 +1,8 @@
07cb6b
 # platform = multi_platform_all
07cb6b
-# # reboot = false
07cb6b
-# # strategy = configure
07cb6b
-# # complexity = low
07cb6b
-# # disruption = low
07cb6b
+# reboot = false
07cb6b
+# strategy = configure
07cb6b
+# complexity = low
07cb6b
+# disruption = low
07cb6b
 
07cb6b
 {{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
07cb6b
 {{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
07cb6b
07cb6b
From d3f048456908b316c0dcc0bff2328cf87fe6e7de Mon Sep 17 00:00:00 2001
07cb6b
From: Watson Sato <wsato@redhat.com>
07cb6b
Date: Mon, 14 Feb 2022 17:39:39 +0100
07cb6b
Subject: [PATCH 9/9] Handle case when /etc/sudoers.d doesn't exist
07cb6b
07cb6b
The remediation skips the directory, and the test scenarios create the
07cb6b
dir to ensure the test scenario works.
07cb6b
---
07cb6b
 .../sudo/sudoers_default_includedir/bash/shared.sh        | 8 ++++++--
07cb6b
 .../tests/sudoers.d_with_include.fail.sh                  | 1 +
07cb6b
 .../tests/sudoers.d_with_includedir.fail.sh               | 1 +
07cb6b
 3 files changed, 8 insertions(+), 2 deletions(-)
07cb6b
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
index 2d00b471677..fbff5eb6f30 100644
07cb6b
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
07cb6b
@@ -13,5 +13,9 @@ else
07cb6b
         sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
07cb6b
     fi
07cb6b
 fi
07cb6b
-sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/*
07cb6b
-sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/*
07cb6b
+
07cb6b
+sed -i "/^#include\s\+.*/d" "$sudoers_config_file"
07cb6b
+
07cb6b
+if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then
07cb6b
+    sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/*
07cb6b
+fi
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
07cb6b
index 554ef2e060d..3f14ecc1627 100644
07cb6b
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
07cb6b
@@ -1,6 +1,7 @@
07cb6b
 #!/bin/bash
07cb6b
 # platform = multi_platform_all
07cb6b
 
07cb6b
+mkdir -p /etc/sudoers.d
07cb6b
 # Ensure default config is there
07cb6b
 if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
07cb6b
     echo "#includedir /etc/sudoers.d" >> /etc/sudoers
07cb6b
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
07cb6b
index 516b68b5a3e..89515076ff1 100644
07cb6b
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
07cb6b
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
07cb6b
@@ -1,6 +1,7 @@
07cb6b
 #!/bin/bash
07cb6b
 # platform = multi_platform_all
07cb6b
 
07cb6b
+mkdir -p /etc/sudoers.d
07cb6b
 # Ensure default config is there
07cb6b
 if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
07cb6b
     echo "#includedir /etc/sudoers.d" >> /etc/sudoers