rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   a8c580020dc7e53bf0519dbd5961e4fd02890909
  2.   SOURCES
  3.   scap-security-guide-0.1.56-create_sudo_validate_passwd_rule-PR_6881.patch
Blob Blame History Raw 
From 7e564ab00c07d31012bb2cede57b0c7f3cd28c76 Mon Sep 17 00:00:00 2001
From: yarunachalam <yarunachalam@suse.com>
Date: Thu, 22 Apr 2021 18:58:28 +0000
Subject: [PATCH 1/6] Add Rule,Test for SLES-15-020103

Rule has no remediation.
---
 .../sudoers_validate_passwd/oval/shared.xml   | 44 ++++++++++++++++++
 .../sudo/sudoers_validate_passwd/rule.yml     | 45 +++++++++++++++++++
 .../tests/sudoers_validate_passwd_fail.sh     |  7 +++
 .../tests/sudoers_validate_passwd_pass.sh     |  6 +++
 .../tests/sudoers_validate_rootpw_fail.sh     |  7 +++
 .../tests/sudoers_validate_runaspw_fail.sh    |  7 +++
 .../tests/sudoers_validate_targetpw_fail.sh   |  7 +++
 8 files changed, 125 insertions(+)
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh

diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
new file mode 100644
index 00000000000..3f33b82b520
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
@@ -0,0 +1,44 @@
+<def-group>
+  <definition class="compliance" id="sudoers_validate_passwd" version="1">
+   {{{ oval_metadata("Ensure invoking user's password for privilege escalation when using sudo") }}}
+      <criteria operator="AND">
+      <criterion comment="Check Defaults !targetpw exists in /etc/sudoers file" test_ref="test_sudoers_targetpw_config" />
+      <criterion comment="Check Defaults !rootpw exists in /etc/sudoers file" test_ref="test_sudoers_rootpw_config" />
+      <criterion comment="Check Defaults !runaspw exists in /etc/sudoers file" test_ref="test_sudoers_runaspw_config" />
+      </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+  id="test_sudoers_targetpw_config" version="1">
+    <ind:object object_ref="object_test_sudoers_targetpw_config" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+  id="test_sudoers_rootpw_config" version="1">
+    <ind:object object_ref="object_test_sudoers_rootpw_config" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+  id="test_sudoers_runaspw_config" version="1">
+    <ind:object object_ref="object_test_sudoers_runaspw_config" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
+    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
+    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
+    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
new file mode 100644
index 00000000000..cf564c6b533
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -0,0 +1,45 @@
+documentation_complete: true
+
+title: 'Ensure invoking users password for privilege escalation when using sudo'
+
+prodtype: sle15
+
+description: |-
+    The sudoers security policy requires that users authenticate themselves before they can use sudo.
+    When sudoers requires authentication, it validates the invoking user's credentials.
+severity: medium
+
+rationale: |-
+    If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt
+    the invoking user for the "root" user password.
+
+identifiers:
+    cce@sle15: CCE-85747-4
+
+references:
+    disa@sle15: CCI-000366
+    nist@sle15: CM-6(b),CM-6.1(iv)
+    srg: SRG-OS-000480-GPOS-00227
+    stigid@sle15: SLES-15-020103
+
+ocil_clause: 'invoke user passwd when using sudo'
+
+ocil: |-
+    To Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
+
+    <pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
+
+    <pre> /etc/sudoers:Defaults !targetpw
+          /etc/sudoers:Defaults !rootpw
+          /etc/sudoers:Defaults !runaspw </pre>
+
+    If no results are returned, this is a finding
+    If "Defaults !targetpw" is not defined, this is a finding.
+    If "Defaults !rootpw" is not defined, this is a finding.
+    If "Defaults !runaspw" is not defined, this is a finding.
+
+    Fix Text: Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
+
+    Defaults !targetpw
+    Defaults !rootpw
+    Defaults !runaspw
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh
new file mode 100644
index 00000000000..d8b33a0ac52
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh
@@ -0,0 +1,7 @@
+# platform = SUSE Linux Enterprise 15
+# packages = sudo
+
+if [ $(sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
+then
+     sed -i '/Defaults !targetpw/{:a;N;/Defaults !runaspw/!ba};/Defaults !rootpw/d' /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh
new file mode 100644
index 00000000000..f2461085f99
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh
@@ -0,0 +1,6 @@
+# platform = SUSE Linux Enterprise 15
+# packages = sudo
+
+echo 'Defaults !targetpw' >> /etc/sudoers
+echo 'Defaults !rootpw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh
new file mode 100644
index 00000000000..9a8f51450cd
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh
@@ -0,0 +1,7 @@
+# platform = SUSE Linux Enterprise 15
+# packages = sudo
+
+if [ $(sudo egrep -i '(!rootpw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
+then
+     sed -i '/Defaults !rootpw/d' /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh
new file mode 100644
index 00000000000..a455aa14968
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh
@@ -0,0 +1,7 @@
+# platform = SUSE Linux Enterprise 15
+# packages = sudo
+
+if [ $(sudo egrep -i '(!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
+then
+     sed -i '/Defaults !runaspw/d' /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh
new file mode 100644
index 00000000000..1b18a8f3dc5
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh
@@ -0,0 +1,7 @@
+# platform = SUSE Linux Enterprise 15
+# packages = sudo
+
+if [ $(sudo egrep -i '(!targetpw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
+then
+     sed -i '/Defaults !targetpw/d' /etc/sudoers
+fi


From d691e2d0183c0254e0d2a095853db373247691ef Mon Sep 17 00:00:00 2001
From: yarunachalam <40246855+yarunachalam@users.noreply.github.com>
Date: Fri, 23 Apr 2021 17:09:38 +0000
Subject: [PATCH 2/6] Update
 linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml

Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
 .../guide/system/software/sudo/sudoers_validate_passwd/rule.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index cf564c6b533..2ac2153d546 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -25,7 +25,7 @@ references:
 ocil_clause: 'invoke user passwd when using sudo'
 
 ocil: |-
-    To Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
+    Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalatiob:
 
     <pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
 

From eb314afa0554ae9badd47bc218f79e6f276fdc79 Mon Sep 17 00:00:00 2001
From: yarunachalam <40246855+yarunachalam@users.noreply.github.com>
Date: Fri, 23 Apr 2021 17:20:57 +0000
Subject: [PATCH 3/6] Apply suggestions from code review

Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
 .../software/sudo/sudoers_validate_passwd/oval/shared.xml     | 4 ++--
 .../system/software/sudo/sudoers_validate_passwd/rule.yml     | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
index 3f33b82b520..1c3a83523c6 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
@@ -30,13 +30,13 @@
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
-    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
     <ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
-    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
     <ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index 2ac2153d546..e420e5aa151 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -28,7 +28,7 @@ ocil: |-
     Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalatiob:
 
     <pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
-
+The expected output is:
     <pre> /etc/sudoers:Defaults !targetpw
           /etc/sudoers:Defaults !rootpw
           /etc/sudoers:Defaults !runaspw </pre>

From 8b4ae0c13a4992db2e908e1380b81b4d6cbacee1 Mon Sep 17 00:00:00 2001
From: yarunachalam <yarunachalam@suse.com>
Date: Fri, 23 Apr 2021 18:27:03 +0000
Subject: [PATCH 4/6] Updated review comments:

- Fixed disa record and removed blank line.
- Renamed test case file name according the to the format
- Removed susefirewall2_only_required_services stig from sle15 profile
---
 .../software/sudo/sudoers_validate_passwd/rule.yml | 14 ++++++--------
 ...swd_fail.sh => sudoers_validate_passwd.fail.sh} |  0
 ...swd_pass.sh => sudoers_validate_passwd.pass.sh} |  0
 ...tpw_fail.sh => sudoers_validate_rootpw.fail.sh} |  0
 ...pw_fail.sh => sudoers_validate_runaspw.fail.sh} |  0
 ...w_fail.sh => sudoers_validate_targetpw.fail.sh} |  0
 7 files changed, 6 insertions(+), 9 deletions(-)
 rename linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/{sudoers_validate_passwd_fail.sh => sudoers_validate_passwd.fail.sh} (100%)
 rename linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/{sudoers_validate_passwd_pass.sh => sudoers_validate_passwd.pass.sh} (100%)
 rename linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/{sudoers_validate_rootpw_fail.sh => sudoers_validate_rootpw.fail.sh} (100%)
 rename linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/{sudoers_validate_runaspw_fail.sh => sudoers_validate_runaspw.fail.sh} (100%)
 rename linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/{sudoers_validate_targetpw_fail.sh => sudoers_validate_targetpw.fail.sh} (100%)

diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index e420e5aa151..db636bc59a2 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -7,6 +7,11 @@ prodtype: sle15
 description: |-
     The sudoers security policy requires that users authenticate themselves before they can use sudo.
     When sudoers requires authentication, it validates the invoking user's credentials.
+    Fix Text: Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
+    Defaults !targetpw
+    Defaults !rootpw
+    Defaults !runaspw
+
 severity: medium
 
 rationale: |-
@@ -17,7 +22,7 @@ identifiers:
     cce@sle15: CCE-85747-4
 
 references:
-    disa@sle15: CCI-000366
+    disa: CCI-000366
     nist@sle15: CM-6(b),CM-6.1(iv)
     srg: SRG-OS-000480-GPOS-00227
     stigid@sle15: SLES-15-020103
@@ -26,7 +31,6 @@ ocil_clause: 'invoke user passwd when using sudo'
 
 ocil: |-
     Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalatiob:
-
     <pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
 The expected output is:
     <pre> /etc/sudoers:Defaults !targetpw
@@ -37,9 +41,3 @@ The expected output is:
     If "Defaults !targetpw" is not defined, this is a finding.
     If "Defaults !rootpw" is not defined, this is a finding.
     If "Defaults !runaspw" is not defined, this is a finding.
-
-    Fix Text: Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
-
-    Defaults !targetpw
-    Defaults !rootpw
-    Defaults !runaspw
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh
similarity index 100%
rename from linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh
rename to linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh
similarity index 100%
rename from linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh
rename to linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh
similarity index 100%
rename from linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh
rename to linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh
similarity index 100%
rename from linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh
rename to linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh
similarity index 100%
rename from linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh
rename to linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh


From dfd5d60cb3ef52692e175efe52076495471db994 Mon Sep 17 00:00:00 2001
From: yarunachalam <40246855+yarunachalam@users.noreply.github.com>
Date: Fri, 23 Apr 2021 18:32:31 +0000
Subject: [PATCH 5/6] Apply suggestions from code review

Co-authored-by: vojtapolasek <krecoun@gmail.com>
---
 .../software/sudo/sudoers_validate_passwd/oval/shared.xml       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
index 1c3a83523c6..646e6bfb7c0 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
@@ -24,7 +24,7 @@
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
-    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
     <ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>

From 244471e24f9e90dd5ef54530f517b1759c87a01f Mon Sep 17 00:00:00 2001
From: yarunachalam <yarunachalam@suse.com>
Date: Fri, 23 Apr 2021 19:18:20 +0000
Subject: [PATCH 6/6] Fixed ocil record

---
 .../sudo/sudoers_validate_passwd/rule.yml        | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index db636bc59a2..d0a90a3723a 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -7,10 +7,11 @@ prodtype: sle15
 description: |-
     The sudoers security policy requires that users authenticate themselves before they can use sudo.
     When sudoers requires authentication, it validates the invoking user's credentials.
-    Fix Text: Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
-    Defaults !targetpw
-    Defaults !rootpw
-    Defaults !runaspw
+    The expected output for:
+    <pre>sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
+    <pre> /etc/sudoers:Defaults !targetpw
+          /etc/sudoers:Defaults !rootpw
+          /etc/sudoers:Defaults !runaspw </pre>
 
 severity: medium
 
@@ -30,13 +31,8 @@ references:
 ocil_clause: 'invoke user passwd when using sudo'
 
 ocil: |-
-    Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalatiob:
+    Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
     <pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
-The expected output is:
-    <pre> /etc/sudoers:Defaults !targetpw
-          /etc/sudoers:Defaults !rootpw
-          /etc/sudoers:Defaults !runaspw </pre>
-
     If no results are returned, this is a finding
     If "Defaults !targetpw" is not defined, this is a finding.
     If "Defaults !rootpw" is not defined, this is a finding.

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation