rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   a8c580020dc7e53bf0519dbd5961e4fd02890909
  2.   SOURCES
  3.   scap-security-guide-0.1.56-add_sudo_validate_passwd_into_stig-PR_6897.patch
Blob Blame History Raw 
From ec8ab4395f055af03b6147d40f86af4fb994ad62 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 26 Apr 2021 15:57:51 +0200
Subject: [PATCH 1/2] make rule and tests applicable to more products

add stigids for rhel7 and rhel8
---
 .../system/software/sudo/sudoers_validate_passwd/rule.yml   | 6 +++++-
 .../tests/sudoers_validate_passwd.fail.sh                   | 2 +-
 .../tests/sudoers_validate_passwd.pass.sh                   | 2 +-
 .../tests/sudoers_validate_rootpw.fail.sh                   | 2 +-
 .../tests/sudoers_validate_runaspw.fail.sh                  | 2 +-
 .../tests/sudoers_validate_targetpw.fail.sh                 | 2 +-
 shared/references/cce-redhat-avail.txt                      | 2 --
 7 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index d0a90a3723a..8052e23c857 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -2,7 +2,7 @@ documentation_complete: true
 
 title: 'Ensure invoking users password for privilege escalation when using sudo'
 
-prodtype: sle15
+prodtype: fedora,ol7,ol8,rhel7,rhel8,sle15
 
 description: |-
     The sudoers security policy requires that users authenticate themselves before they can use sudo.
@@ -20,6 +20,8 @@ rationale: |-
     the invoking user for the "root" user password.
 
 identifiers:
+    cce@rhel7: CCE-83421-8
+    cce@rhel8: CCE-83422-6
     cce@sle15: CCE-85747-4
 
 references:
@@ -27,6 +29,8 @@ references:
     nist@sle15: CM-6(b),CM-6.1(iv)
     srg: SRG-OS-000480-GPOS-00227
     stigid@sle15: SLES-15-020103
+    stigid@rhel7: RHEL-07-010342
+    stigid@rhel8: RHEL-08-010383
 
 ocil_clause: 'invoke user passwd when using sudo'
 
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh
index d8b33a0ac52..9706b8bd19d 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
 # packages = sudo
 
 if [ $(sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh
index f2461085f99..093f9dd80bf 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
 # packages = sudo
 
 echo 'Defaults !targetpw' >> /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh
index 9a8f51450cd..b12d1f886aa 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
 # packages = sudo
 
 if [ $(sudo egrep -i '(!rootpw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh
index a455aa14968..93b3dfebfc8 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
 # packages = sudo
 
 if [ $(sudo egrep -i '(!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh
index 1b18a8f3dc5..103cb466506 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh
@@ -1,4 +1,4 @@
-# platform = SUSE Linux Enterprise 15
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
 # packages = sudo
 
 if [ $(sudo egrep -i '(!targetpw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 7c7730c1678..7ad068fc611 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -5,8 +5,6 @@
 CCE-83405-1
 CCE-83406-9
 CCE-83407-7
-CCE-83421-8
-CCE-83422-6
 CCE-83426-7
 CCE-83428-3
 CCE-83429-1

From a1a982c6035564b6f151359a771d2c01131b0a6e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 26 Apr 2021 16:12:18 +0200
Subject: [PATCH 2/2] add rule to rhel7 and rhel8 stig profiles

---
 rhel7/profiles/stig.profile                         | 1 +
 4 files changed, 6 insertions(+)

diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 192a0874d19..fc4dbb12e11 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -106,6 +106,7 @@ selections:
     - sudo_remove_nopasswd
     - sudo_restrict_privilege_elevation_to_authorized
     - sudo_remove_no_authenticate
+    - sudoers_validate_passwd
     - accounts_logon_fail_delay
     - gnome_gdm_disable_automatic_login
     - gnome_gdm_disable_guest_login

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation