From ec8ab4395f055af03b6147d40f86af4fb994ad62 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 26 Apr 2021 15:57:51 +0200
Subject: [PATCH 1/2] make rule and tests applicable to more products
add stigids for rhel7 and rhel8
---
.../system/software/sudo/sudoers_validate_passwd/rule.yml | 6 +++++-
.../tests/sudoers_validate_passwd.fail.sh | 2 +-
.../tests/sudoers_validate_passwd.pass.sh | 2 +-
.../tests/sudoers_validate_rootpw.fail.sh | 2 +-
.../tests/sudoers_validate_runaspw.fail.sh | 2 +-
.../tests/sudoers_validate_targetpw.fail.sh | 2 +-
shared/references/cce-redhat-avail.txt | 2 --
7 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index d0a90a3723a..8052e23c857 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
title: 'Ensure invoking users password for privilege escalation when using sudo'
-prodtype: sle15
+prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15
description: |-
The sudoers security policy requires that users authenticate themselves before they can use sudo.
@@ -20,6 +20,8 @@ rationale: |-
the invoking user for the "root" user password.
identifiers:
+ cce@rhel7: CCE-83421-8
+ cce@rhel8: CCE-83422-6
cce@sle15: CCE-85747-4
references:
@@ -27,6 +29,8 @@ references:
nist@sle15: CM-6(b),CM-6.1(iv)
srg: SRG-OS-000480-GPOS-00227
stigid@sle15: SLES-15-020103
+ stigid@rhel7: RHEL-07-010342
+ stigid@rhel8: RHEL-08-010383
ocil_clause: 'invoke user passwd when using sudo'
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh
index d8b33a0ac52..9706b8bd19d 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
# packages = sudo
if [ $(sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh
index f2461085f99..093f9dd80bf 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
# packages = sudo
echo 'Defaults !targetpw' >> /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh
index 9a8f51450cd..b12d1f886aa 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
# packages = sudo
if [ $(sudo egrep -i '(!rootpw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh
index a455aa14968..93b3dfebfc8 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
# packages = sudo
if [ $(sudo egrep -i '(!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh
index 1b18a8f3dc5..103cb466506 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
# packages = sudo
if [ $(sudo egrep -i '(!targetpw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 7c7730c1678..7ad068fc611 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -5,8 +5,6 @@
CCE-83405-1
CCE-83406-9
CCE-83407-7
-CCE-83421-8
-CCE-83422-6
CCE-83426-7
CCE-83428-3
CCE-83429-1
From a1a982c6035564b6f151359a771d2c01131b0a6e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 26 Apr 2021 16:12:18 +0200
Subject: [PATCH 2/2] add rule to rhel7 and rhel8 stig profiles
---
rhel7/profiles/stig.profile | 1 +
4 files changed, 6 insertions(+)
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 192a0874d19..fc4dbb12e11 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -106,6 +106,7 @@ selections:
- sudo_remove_nopasswd
- sudo_restrict_privilege_elevation_to_authorized
- sudo_remove_no_authenticate
+ - sudoers_validate_passwd
- accounts_logon_fail_delay
- gnome_gdm_disable_automatic_login
- gnome_gdm_disable_guest_login