From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 5 Aug 2022 12:45:24 +0200
Subject: [PATCH] Fix rule sudo_custom_logfile
- Allow only white space after the Default keyword to avoid
matching words that only start with Default.
- If the variable value contains slashes they need to be escaped
because the sed command uses slashes as a separator, otherwise
the sed doesn't replace the wrong line during a remediation.
Also adds 2 test scenarios.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109
---
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
.../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++
.../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++
shared/templates/sudo_defaults_option/ansible.template | 2 +-
shared/templates/sudo_defaults_option/bash.template | 5 +++--
shared/templates/sudo_defaults_option/oval.template | 2 +-
6 files changed, 14 insertions(+), 5 deletions(-)
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
index 739f5f14936..94fbaaa33ed 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo'
ocil: |-
To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
- <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
+ <pre>$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
The command should return a matching output.
template:
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
new file mode 100644
index 00000000000..13ff4559edb
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
new file mode 100644
index 00000000000..ec24854f0f9
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers
diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template
index 094fa430b64..c9e344ec772 100644
--- a/shared/templates/sudo_defaults_option/ansible.template
+++ b/shared/templates/sudo_defaults_option/ansible.template
@@ -8,7 +8,7 @@
- name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers
lineinfile:
path: /etc/sudoers
- regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$'
+ regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$'
line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2'
validate: /usr/sbin/visudo -cf %s
backrefs: yes
diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template
index e3563d42db6..e7d962a668d 100644
--- a/shared/templates/sudo_defaults_option/bash.template
+++ b/shared/templates/sudo_defaults_option/bash.template
@@ -9,7 +9,7 @@
{{% endif %}}
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
- if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
+ if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then
# sudoers file doesn't define Option {{{ OPTION }}}
echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers
{{%- if not VARIABLE_NAME %}}
@@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then
{{% if '/' in OPTION %}}
{{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}}
{{% endif %}}
- sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers
+ escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}}
+ sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
fi
fi
{{% endif %}}
diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template
index c0d81c95093..a9636a7204a 100644
--- a/shared/templates/sudo_defaults_option/oval.template
+++ b/shared/templates/sudo_defaults_option/oval.template
@@ -13,7 +13,7 @@
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="object_{{{ OPTION }}}_sudoers" version="1">
<ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
- <ind:pattern operation="pattern match">^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
+ <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal" >1</ind:instance>
</ind:textfilecontent54_object>