rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   a8c580020dc7e53bf0519dbd5961e4fd02890909
  2.   SOURCES
  3.   scap-security-guide-0.1.56-add_sudo_restrict_privileges_to_stig-PR_6866.patch
Blob Blame History Raw 
From 80cee70a289588a9dc7c8f9431f073c4ce54c5f7 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 20 Apr 2021 11:32:54 +0200
Subject: [PATCH 01/10] add rhel7 stig references and update description

---
 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml                                             | 9 ++++++++-
 shared/references/cce-redhat-avail.txt                   | 1 -
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
index db1d4fc79cb..d13d24dc229 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
@@ -2,13 +2,16 @@ documentation_complete: true
 
 title: 'The operating system must restrict privilege elevation to authorized personnel'
 
-prodtype: sle15
+prodtype: ol7,rhel7,sle15
 
 description: |-
     The sudo command allows a user to execute programs with elevated
     (administrator) privileges. It prompts the user for their password
     and confirms your request to execute a command by checking a file,
     called sudoers.
+    Restrict privileged actions by removing the following entries from the sudoers file:
+    <tt>ALL ALL=(ALL) ALL</tt>
+    <tt>ALL ALL=(ALL:ALL) ALL</tt>
 
 rationale: |-
     If the "sudoers" file is not configured correctly, any user defined
@@ -18,11 +21,15 @@ severity: medium
 
 identifiers:
     cce@sle15: CCE-85712-8
+    cce@rhel7: CCE-83423-4
 
 references:
     nist: CM-6(b),CM-6(iv)
     disa@sle15: CCI-000366
     stig@sle15: SLES-15-020101
+    disa@rhel7: CCI-000366
+    stigid@rhel7: RHEL-07-010341
+    srg: SRG-OS-000480-GPOS-00227
 
 ocil_clause: '/etc/sudoers file does not restrict sudo access to authorized personnel'
 
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 7ad068fc611..257b07d1f0b 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -7,7 +7,6 @@
 CCE-83407-7
 CCE-83421-8
 CCE-83422-6
-CCE-83423-4
 CCE-83425-9
 CCE-83426-7
 CCE-83428-3

From 277abe35785e38337d8c17d46b8ca0372eac2f6d Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 20 Apr 2021 11:36:33 +0200
Subject: [PATCH 02/10] fix sle15 reference

---
 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
index d13d24dc229..73812cccd83 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
@@ -26,7 +26,7 @@ identifiers:
 references:
     nist: CM-6(b),CM-6(iv)
     disa@sle15: CCI-000366
-    stig@sle15: SLES-15-020101
+    stigid@sle15: SLES-15-020101
     disa@rhel7: CCI-000366
     stigid@rhel7: RHEL-07-010341
     srg: SRG-OS-000480-GPOS-00227

From d3c3c0eea1d8eac57fc517ec9209854f2ae23353 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 20 Apr 2021 11:36:56 +0200
Subject: [PATCH 03/10] add rule to the profile

---
 rhel7/profiles/stig.profile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index fc4dbb12e11..b0def70fd01 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -104,6 +104,7 @@ selections:
     - accounts_passwords_pam_faillock_deny
     - accounts_passwords_pam_faillock_deny_root
     - sudo_remove_nopasswd
+    - sudo_restrict_privilege_elevation_to_authorized
     - sudo_remove_no_authenticate
     - accounts_logon_fail_delay
     - gnome_gdm_disable_automatic_login

From a22162a02358b15d840fba8a57eb5b3006ed67e4 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 20 Apr 2021 11:49:46 +0200
Subject: [PATCH 04/10] update test applicability

---
 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh                                        | 1 +
 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh                                        | 2 +-
 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh                                     | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh
index bc1f7aaf5a5..74aa21c68c8 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
 # platform = SUSE Linux Enterprise 15
 # packages = sudo
 
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh
index 9d38ecc7f92..50f6eb51dee 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+#!/bin/bash
 # packages = sudo
 
 echo 'user ALL=(admin) ALL' > /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh
index f5f156829b8..4471436cada 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+#!/bin/bash
 # packages = sudo
 # remediation = none
 

From 32de49c5dafdd1e8c1bb6e70b99b72ae10574060 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 20 Apr 2021 11:57:00 +0200
Subject: [PATCH 05/10] update rule also for rhel8

---
 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml                                                | 6 +++++-
 shared/references/cce-redhat-avail.txt                      | 1 -
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
index 73812cccd83..aea61df80d2 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 title: 'The operating system must restrict privilege elevation to authorized personnel'
 
-prodtype: ol7,rhel7,sle15
+prodtype: ol7,ol8,rhel7,rhel8,sle15
 
 description: |-
     The sudo command allows a user to execute programs with elevated
@@ -22,6 +22,8 @@ severity: medium
 identifiers:
     cce@sle15: CCE-85712-8
     cce@rhel7: CCE-83423-4
+    cce@rhel8: CCE-83425-9
+
 
 references:
     nist: CM-6(b),CM-6(iv)
@@ -30,6 +32,8 @@ references:
     disa@rhel7: CCI-000366
     stigid@rhel7: RHEL-07-010341
     srg: SRG-OS-000480-GPOS-00227
+    disa@rhel8: CCI-000366
+    stigid@rhel8: RHEL-08-010382
 
 ocil_clause: '/etc/sudoers file does not restrict sudo access to authorized personnel'
 
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 257b07d1f0b..ec8e90215f4 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -6,7 +6,6 @@
 CCE-83407-7
 CCE-83421-8
 CCE-83422-6
-CCE-83425-9
 CCE-83426-7
 CCE-83428-3
 CCE-83429-1

From 8505b5e209281f13c00581904ccc6410c76b3333 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 20 Apr 2021 12:13:01 +0200
Subject: [PATCH 07/10] update one more test applicability

---
 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh                                         | 1 -
 1 file changed, 1 deletion(-)

diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh
index 74aa21c68c8..8547be4d6f6 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-# platform = SUSE Linux Enterprise 15
 # packages = sudo
 
 echo 'ALL ALL=(ALL) ALL' > /etc/sudoers

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation