From 07261c69afcdc5f9afcdd5aefc2ee9510d705f37 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Wed, 3 Aug 2022 13:08:25 +0200

Subject: [PATCH 6/8] Merge pull request #9283 from

 yuumasato/accept_sudoers_without_includes

Patch-name: scap-security-guide-0.1.64-accept_sudoers_wihout_includes-PR_9283.patch

Patch-status: Accept sudoers files without includes as compliant

---

 .../oval/shared.xml                           | 24 +++++++++++++++----

 .../sudo/sudoers_default_includedir/rule.yml  |  8 ++++---

 ...cludedir.fail.sh => no_includedir.pass.sh} |  2 +-

 3 files changed, 26 insertions(+), 8 deletions(-)

 rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%)

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml

index 59cab0b89d..82095acc6e 100644

--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml

@@ -1,10 +1,16 @@

 <def-group>

   <definition class="compliance" id="{{{ rule_id }}}" version="1">

     {{{ oval_metadata("Check if sudo includes only the default includedir") }}}

-    <criteria operator="AND">

-      <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />

-      <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />

-      <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />

+    <criteria operator="OR">

+      <criteria operator="AND">

+        <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />

+        <criterion comment="Check /etc/sudoers doesn't have any #includedir" test_ref="test_sudoers_without_includedir" />

+      </criteria>

+      <criteria operator="AND">

+        <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />

+        <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />

+        <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />

+      </criteria>

     </criteria>

   </definition>

@@ -32,6 +38,16 @@

     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>

   </ind:textfilecontent54_object>

+  

+      comment="audit augenrules rmmod" id="test_sudoers_without_includedir" version="1">

+    <ind:object object_ref="object_sudoers_without_includedir" />

+  </ind:textfilecontent54_test>

+  <ind:textfilecontent54_object id="object_sudoers_without_includedir" version="1">

+    <ind:filepath>/etc/sudoers</ind:filepath>

+    <ind:pattern operation="pattern match">^#includedir[\s]+.*$</ind:pattern>

+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>

+  </ind:textfilecontent54_object>

+

       comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">

     <ind:object object_ref="object_sudoersd_without_includes" />

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml

index aa2aaee19f..83bfb0183b 100644

--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml

@@ -8,9 +8,11 @@ description: |-

     Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include

     other directories and configuration files from the file currently being parsed.

-    Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.

-    The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to

-    <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.

+    Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>,

+    or that no drop-in file is included.

+    Either the <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to

+    <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories;

+    Or the <tt>/etc/sudoers</tt> should not contain any <tt>#include</tt> or <tt>#includedir</tt> directives.

     Note that the '#' character doesn't denote a comment in the configuration file.

 rationale: |-

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh

similarity index 51%

rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh

rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh

index 1e0ab8aea9..fe73cb2507 100644

--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh

+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh

@@ -1,4 +1,4 @@

 #!/bin/bash

 # platform = multi_platform_all

-sed -i "/#includedir.*/d" /etc/sudoers

+sed -i "/#include(dir)?.*/d" /etc/sudoers

-- 

2.37.1