commit 804ab7d7e48d3d6a93aab8c99a1b71410553983b
Author: Watson Sato <wsato@redhat.com>
Date: Mon Feb 28 11:44:13 2022 +0100
Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch.
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
new file mode 100644
index 0000000..0d8c9e7
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
+{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
+- name: "Find out if /etc/sudoers.d/* files contain file or directory includes"
+ find:
+ path: "/etc/sudoers.d"
+ patterns: "*"
+ contains: '^#include(dir)?\s.*$'
+ register: sudoers_d_includes
+
+- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files"
+ lineinfile:
+ path: "{{ item.path }}"
+ regexp: '^#include(dir)?\s.*$'
+ state: absent
+ with_items: "{{ sudoers_d_includes.files }}"
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
new file mode 100644
index 0000000..fbff5eb
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+
+sudoers_config_file="/etc/sudoers"
+sudoers_config_dir="/etc/sudoers.d"
+sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
+if [ "$sudoers_includedir_count" -gt 1 ]; then
+ sed -i "/#includedir.*/d" "$sudoers_config_file"
+ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+elif [ "$sudoers_includedir_count" -eq 0 ]; then
+ echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+else
+ if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
+ sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
+ fi
+fi
+
+sed -i "/^#include\s\+.*/d" "$sudoers_config_file"
+
+if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then
+ sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/*
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
new file mode 100644
index 0000000..59cab0b
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
@@ -0,0 +1,46 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
+ <criteria operator="AND">
+ <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
+ <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
+ <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+ comment="audit augenrules rmmod" id="test_sudoers_default_includedir" version="1">
+ <ind:object object_ref="object_sudoers_default_includedir" />
+ <ind:state state_ref="state_sudoers_default_includedir" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sudoers_default_includedir" version="1">
+ <ind:filepath>/etc/sudoers</ind:filepath>
+ <ind:pattern operation="pattern match">^#includedir[\s]+(.*)$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+ <ind:textfilecontent54_state id="state_sudoers_default_includedir" version="1">
+ <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
+ </ind:textfilecontent54_state>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="audit augenrules rmmod" id="test_sudoers_without_include" version="1">
+ <ind:object object_ref="object_sudoers_without_include" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sudoers_without_include" version="1">
+ <ind:filepath>/etc/sudoers</ind:filepath>
+ <ind:pattern operation="pattern match">^#include[\s]+.*$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
+ <ind:object object_ref="object_sudoersd_without_includes" />
+ </ind:textfilecontent54_test>
+ <ind:textfilecontent54_object id="object_sudoersd_without_includes" version="1">
+ <ind:path>/etc/sudoers.d/</ind:path>
+ <ind:filename operation="pattern match">.*</ind:filename>
+ <ind:pattern operation="pattern match">^#include(dir)?[\s]+.*$</ind:pattern>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
new file mode 100644
index 0000000..a97bd3e
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: fedora,rhel7,rhel8,rhel9
+
+title: 'Ensure sudo only includes the default configuration directory'
+
+description: |-
+ Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
+ other directories and configuration files from the file currently being parsed.
+
+ Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
+ The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
+ <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
+ Note that the '#' character doesn't denote a comment in the configuration file.
+
+rationale: |-
+ Some <tt>sudo</tt> configurtion options allow users to run programs without re-authenticating.
+ Use of these configuration options makes it easier for one compromised accound to be used to
+ compromise other accounts.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-86277-1
+ cce@rhel8: CCE-86377-9
+ cce@rhel9: CCE-86477-7
+
+references:
+ disa: CCI-000366
+ srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel8: RHEL-08-010379
+
+ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
+
+ocil: |-
+ To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
+ run the following command:
+ <pre>$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d</pre>
+ If only the line <tt>/etc/sudoers:#includedir /etc/sudoers.d</tt> is returned, then the drop-in include configuration is set correctly.
+ Any other line returned is a finding.
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
new file mode 100644
index 0000000..ac0c808
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
new file mode 100644
index 0000000..5bad822
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# duplicate default entry
+if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
new file mode 100644
index 0000000..1e0ab8a
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+sed -i "/#includedir.*/d" /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
new file mode 100644
index 0000000..3f14ecc
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/sudoers.d
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
new file mode 100644
index 0000000..8951507
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/sudoers.d
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
new file mode 100644
index 0000000..ad04880
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+if ! grep -q "#include " /etc/sudoers; then
+ echo "#include /etc/my-sudoers" >> /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
new file mode 100644
index 0000000..09d14ea
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure that there are two different indludedirs
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+ echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
new file mode 100644
index 0000000..55a072a
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+sed -i "/#includedir.*/d" /etc/sudoers
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index bfb3753..f5fed4a 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -271,6 +271,9 @@ selections:
# RHEL-08-010376
- sysctl_kernel_perf_event_paranoid
+ # RHEL-08-010379
+ - sudoers_default_includedir
+
# RHEL-08-010380
- sudo_remove_nopasswd
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ec92589..99bccc7 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -478,7 +478,6 @@ CCE-86373-8
CCE-86374-6
CCE-86375-3
CCE-86376-1
-CCE-86377-9
CCE-86378-7
CCE-86379-5
CCE-86380-3
@@ -576,7 +575,6 @@ CCE-86473-6
CCE-86474-4
CCE-86475-1
CCE-86476-9
-CCE-86477-7
CCE-86478-5
CCE-86479-3
CCE-86480-1
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 2411f02..2dbc2e4 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -360,6 +360,7 @@ selections:
- sudo_remove_nopasswd
- sudo_require_reauthentication
- sudo_restrict_privilege_elevation_to_authorized
+- sudoers_default_includedir
- sudoers_validate_passwd
- sysctl_crypto_fips_enabled
- sysctl_fs_protected_hardlinks
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index f0a9601..cd76884 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -371,6 +371,7 @@ selections:
- sudo_remove_nopasswd
- sudo_require_reauthentication
- sudo_restrict_privilege_elevation_to_authorized
+- sudoers_default_includedir
- sudoers_validate_passwd
- sysctl_crypto_fips_enabled
- sysctl_fs_protected_hardlinks