commit 804ab7d7e48d3d6a93aab8c99a1b71410553983b

Author: Watson Sato <wsato@redhat.com>

Date:   Mon Feb 28 11:44:13 2022 +0100

    Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch.

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml

new file mode 100644

index 0000000..0d8c9e7

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml

@@ -0,0 +1,21 @@

+# platform = multi_platform_all

+# reboot = false

+# strategy = configure

+# complexity = low

+# disruption = low

+

+{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}

+{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}

+- name: "Find out if /etc/sudoers.d/* files contain file or directory includes"

+  find:

+    path: "/etc/sudoers.d"

+    patterns: "*"

+    contains: '^#include(dir)?\s.*$'

+  register: sudoers_d_includes

+

+- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files"

+  lineinfile:

+    path: "{{ item.path }}"

+    regexp: '^#include(dir)?\s.*$'

+    state: absent

+  with_items: "{{ sudoers_d_includes.files }}"

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh

new file mode 100644

index 0000000..fbff5eb

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh

@@ -0,0 +1,21 @@

+# platform = multi_platform_all

+

+sudoers_config_file="/etc/sudoers"

+sudoers_config_dir="/etc/sudoers.d"

+sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")

+if [ "$sudoers_includedir_count" -gt 1 ]; then

+    sed -i "/#includedir.*/d" "$sudoers_config_file"

+    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"

+elif [ "$sudoers_includedir_count" -eq 0 ]; then

+    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"

+else

+    if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then

+        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"

+    fi

+fi

+

+sed -i "/^#include\s\+.*/d" "$sudoers_config_file"

+

+if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then

+    sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/*

+fi

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml

new file mode 100644

index 0000000..59cab0b

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml

@@ -0,0 +1,46 @@

+<def-group>

+  <definition class="compliance" id="{{{ rule_id }}}" version="1">

+    {{{ oval_metadata("Check if sudo includes only the default includedir") }}}

+    <criteria operator="AND">

+      <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />

+      <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />

+      <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />

+    </criteria>

+  </definition>

+

+  

+      comment="audit augenrules rmmod" id="test_sudoers_default_includedir" version="1">

+    <ind:object object_ref="object_sudoers_default_includedir" />

+    <ind:state state_ref="state_sudoers_default_includedir" />

+  </ind:textfilecontent54_test>

+  <ind:textfilecontent54_object id="object_sudoers_default_includedir" version="1">

+    <ind:filepath>/etc/sudoers</ind:filepath>

+    <ind:pattern operation="pattern match">^#includedir[\s]+(.*)$</ind:pattern>

+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+  <ind:textfilecontent54_state id="state_sudoers_default_includedir" version="1">

+    <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>

+  </ind:textfilecontent54_state>

+

+  

+      comment="audit augenrules rmmod" id="test_sudoers_without_include" version="1">

+    <ind:object object_ref="object_sudoers_without_include" />

+  </ind:textfilecontent54_test>

+  <ind:textfilecontent54_object id="object_sudoers_without_include" version="1">

+    <ind:filepath>/etc/sudoers</ind:filepath>

+    <ind:pattern operation="pattern match">^#include[\s]+.*$</ind:pattern>

+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+  

+      comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">

+    <ind:object object_ref="object_sudoersd_without_includes" />

+  </ind:textfilecontent54_test>

+  <ind:textfilecontent54_object id="object_sudoersd_without_includes" version="1">

+    <ind:path>/etc/sudoers.d/</ind:path>

+    <ind:filename operation="pattern match">.*</ind:filename>

+    <ind:pattern operation="pattern match">^#include(dir)?[\s]+.*$</ind:pattern>

+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+

+</def-group>

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml

new file mode 100644

index 0000000..a97bd3e

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml

@@ -0,0 +1,40 @@

+documentation_complete: true

+

+prodtype: fedora,rhel7,rhel8,rhel9

+

+title: 'Ensure sudo only includes the default configuration directory'

+

+description: |-

+    Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include

+    other directories and configuration files from the file currently being parsed.

+  

+    Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.

+    The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to

+    <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.

+    Note that the '#' character doesn't denote a comment in the configuration file.

+

+rationale: |-

+   Some <tt>sudo</tt> configurtion options allow users to run programs without re-authenticating.

+   Use of these configuration options makes it easier for one compromised accound to be used to

+   compromise other accounts.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: CCE-86277-1

+    cce@rhel8: CCE-86377-9

+    cce@rhel9: CCE-86477-7

+

+references:

+    disa: CCI-000366

+    srg: SRG-OS-000480-GPOS-00227

+    stigid@rhel8: RHEL-08-010379

+

+ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"

+

+ocil: |-

+    To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,

+    run the following command:

+    
$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d

+    If only the line <tt>/etc/sudoers:#includedir /etc/sudoers.d</tt> is returned, then the drop-in include configuration is set correctly.

+    Any other line returned is a finding.

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh

new file mode 100644

index 0000000..ac0c808

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+# platform = multi_platform_all

+

+# Ensure default config is there

+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then

+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers

+fi

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh

new file mode 100644

index 0000000..5bad822

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh

@@ -0,0 +1,7 @@

+#!/bin/bash

+# platform = multi_platform_all

+

+# duplicate default entry

+if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then

+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers

+fi

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh

new file mode 100644

index 0000000..1e0ab8a

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh

@@ -0,0 +1,4 @@

+#!/bin/bash

+# platform = multi_platform_all

+

+sed -i "/#includedir.*/d" /etc/sudoers

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh

new file mode 100644

index 0000000..3f14ecc

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh

@@ -0,0 +1,10 @@

+#!/bin/bash

+# platform = multi_platform_all

+

+mkdir -p /etc/sudoers.d

+# Ensure default config is there

+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then

+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers

+fi

+

+echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh

new file mode 100644

index 0000000..8951507

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh

@@ -0,0 +1,10 @@

+#!/bin/bash

+# platform = multi_platform_all

+

+mkdir -p /etc/sudoers.d

+# Ensure default config is there

+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then

+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers

+fi

+

+echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh

new file mode 100644

index 0000000..ad04880

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh

@@ -0,0 +1,11 @@

+#!/bin/bash

+# platform = multi_platform_all

+

+# Ensure default config is there

+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then

+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers

+fi

+

+if ! grep -q "#include " /etc/sudoers; then

+    echo "#include /etc/my-sudoers" >> /etc/sudoers

+fi

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh

new file mode 100644

index 0000000..09d14ea

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh

@@ -0,0 +1,8 @@

+#!/bin/bash

+# platform = multi_platform_all

+

+# Ensure that there are two different indludedirs

+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then

+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers

+fi

+echo "#includedir /opt/extra_config.d" >> /etc/sudoers

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh

new file mode 100644

index 0000000..55a072a

--- /dev/null

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh

@@ -0,0 +1,5 @@

+#!/bin/bash

+# platform = multi_platform_all

+

+sed -i "/#includedir.*/d" /etc/sudoers

+echo "#includedir /opt/extra_config.d" >> /etc/sudoers

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index bfb3753..f5fed4a 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -271,6 +271,9 @@ selections:

     # RHEL-08-010376

     - sysctl_kernel_perf_event_paranoid

+    # RHEL-08-010379

+    - sudoers_default_includedir

+

     # RHEL-08-010380

     - sudo_remove_nopasswd

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index ec92589..99bccc7 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -478,7 +478,6 @@ CCE-86373-8

 CCE-86374-6

 CCE-86375-3

 CCE-86376-1

-CCE-86377-9

 CCE-86378-7

 CCE-86379-5

 CCE-86380-3

@@ -576,7 +575,6 @@ CCE-86473-6

 CCE-86474-4

 CCE-86475-1

 CCE-86476-9

-CCE-86477-7

 CCE-86478-5

 CCE-86479-3

 CCE-86480-1

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 2411f02..2dbc2e4 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -360,6 +360,7 @@ selections:

 - sudo_remove_nopasswd

 - sudo_require_reauthentication

 - sudo_restrict_privilege_elevation_to_authorized

+- sudoers_default_includedir

 - sudoers_validate_passwd

 - sysctl_crypto_fips_enabled

 - sysctl_fs_protected_hardlinks

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index f0a9601..cd76884 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -371,6 +371,7 @@ selections:

 - sudo_remove_nopasswd

 - sudo_require_reauthentication

 - sudo_restrict_privilege_elevation_to_authorized

+- sudoers_default_includedir

 - sudoers_validate_passwd

 - sysctl_crypto_fips_enabled

 - sysctl_fs_protected_hardlinks