Blob Blame History Raw
commit 804ab7d7e48d3d6a93aab8c99a1b71410553983b
Author: Watson Sato <wsato@redhat.com>
Date:   Mon Feb 28 11:44:13 2022 +0100

    Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch.

diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
new file mode 100644
index 0000000..0d8c9e7
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml
@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}}
+{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}}
+- name: "Find out if /etc/sudoers.d/* files contain file or directory includes"
+  find:
+    path: "/etc/sudoers.d"
+    patterns: "*"
+    contains: '^#include(dir)?\s.*$'
+  register: sudoers_d_includes
+
+- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files"
+  lineinfile:
+    path: "{{ item.path }}"
+    regexp: '^#include(dir)?\s.*$'
+    state: absent
+  with_items: "{{ sudoers_d_includes.files }}"
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
new file mode 100644
index 0000000..fbff5eb
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh
@@ -0,0 +1,21 @@
+# platform = multi_platform_all
+
+sudoers_config_file="/etc/sudoers"
+sudoers_config_dir="/etc/sudoers.d"
+sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file")
+if [ "$sudoers_includedir_count" -gt 1 ]; then
+    sed -i "/#includedir.*/d" "$sudoers_config_file"
+    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+elif [ "$sudoers_includedir_count" -eq 0 ]; then
+    echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file"
+else
+    if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then
+        sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file"
+    fi
+fi
+
+sed -i "/^#include\s\+.*/d" "$sudoers_config_file"
+
+if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then
+    sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/*
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
new file mode 100644
index 0000000..59cab0b
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
@@ -0,0 +1,46 @@
+<def-group>
+  <definition class="compliance" id="{{{ rule_id }}}" version="1">
+    {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
+    <criteria operator="AND">
+      <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
+      <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
+      <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists"
+      comment="audit augenrules rmmod" id="test_sudoers_default_includedir" version="1">
+    <ind:object object_ref="object_sudoers_default_includedir" />
+    <ind:state state_ref="state_sudoers_default_includedir" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_sudoers_default_includedir" version="1">
+    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:pattern operation="pattern match">^#includedir[\s]+(.*)$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+  <ind:textfilecontent54_state id="state_sudoers_default_includedir" version="1">
+    <ind:subexpression operation="equals">/etc/sudoers.d</ind:subexpression>
+  </ind:textfilecontent54_state>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+      comment="audit augenrules rmmod" id="test_sudoers_without_include" version="1">
+    <ind:object object_ref="object_sudoers_without_include" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_sudoers_without_include" version="1">
+    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:pattern operation="pattern match">^#include[\s]+.*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+      comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
+    <ind:object object_ref="object_sudoersd_without_includes" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_sudoersd_without_includes" version="1">
+    <ind:path>/etc/sudoers.d/</ind:path>
+    <ind:filename operation="pattern match">.*</ind:filename>
+    <ind:pattern operation="pattern match">^#include(dir)?[\s]+.*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
new file mode 100644
index 0000000..a97bd3e
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: fedora,rhel7,rhel8,rhel9
+
+title: 'Ensure sudo only includes the default configuration directory'
+
+description: |-
+    Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
+    other directories and configuration files from the file currently being parsed.
+  
+    Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
+    The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
+    <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
+    Note that the '#' character doesn't denote a comment in the configuration file.
+
+rationale: |-
+   Some <tt>sudo</tt> configurtion options allow users to run programs without re-authenticating.
+   Use of these configuration options makes it easier for one compromised accound to be used to
+   compromise other accounts.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86277-1
+    cce@rhel8: CCE-86377-9
+    cce@rhel9: CCE-86477-7
+
+references:
+    disa: CCI-000366
+    srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel8: RHEL-08-010379
+
+ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?"
+
+ocil: |-
+    To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,
+    run the following command:
+    <pre>$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d</pre>
+    If only the line <tt>/etc/sudoers:#includedir /etc/sudoers.d</tt> is returned, then the drop-in include configuration is set correctly.
+    Any other line returned is a finding.
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
new file mode 100644
index 0000000..ac0c808
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
new file mode 100644
index 0000000..5bad822
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# duplicate default entry
+if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
new file mode 100644
index 0000000..1e0ab8a
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+sed -i "/#includedir.*/d" /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
new file mode 100644
index 0000000..3f14ecc
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/sudoers.d
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
new file mode 100644
index 0000000..8951507
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+mkdir -p /etc/sudoers.d
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
new file mode 100644
index 0000000..ad04880
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure default config is there
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+
+if ! grep -q "#include " /etc/sudoers; then
+    echo "#include /etc/my-sudoers" >> /etc/sudoers
+fi
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
new file mode 100644
index 0000000..09d14ea
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+# Ensure that there are two different indludedirs
+if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then
+    echo "#includedir /etc/sudoers.d" >> /etc/sudoers
+fi
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
new file mode 100644
index 0000000..55a072a
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# platform = multi_platform_all
+
+sed -i "/#includedir.*/d" /etc/sudoers
+echo "#includedir /opt/extra_config.d" >> /etc/sudoers
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index bfb3753..f5fed4a 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -271,6 +271,9 @@ selections:
     # RHEL-08-010376
     - sysctl_kernel_perf_event_paranoid
 
+    # RHEL-08-010379
+    - sudoers_default_includedir
+
     # RHEL-08-010380
     - sudo_remove_nopasswd
 
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ec92589..99bccc7 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -478,7 +478,6 @@ CCE-86373-8
 CCE-86374-6
 CCE-86375-3
 CCE-86376-1
-CCE-86377-9
 CCE-86378-7
 CCE-86379-5
 CCE-86380-3
@@ -576,7 +575,6 @@ CCE-86473-6
 CCE-86474-4
 CCE-86475-1
 CCE-86476-9
-CCE-86477-7
 CCE-86478-5
 CCE-86479-3
 CCE-86480-1
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 2411f02..2dbc2e4 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -360,6 +360,7 @@ selections:
 - sudo_remove_nopasswd
 - sudo_require_reauthentication
 - sudo_restrict_privilege_elevation_to_authorized
+- sudoers_default_includedir
 - sudoers_validate_passwd
 - sysctl_crypto_fips_enabled
 - sysctl_fs_protected_hardlinks
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index f0a9601..cd76884 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -371,6 +371,7 @@ selections:
 - sudo_remove_nopasswd
 - sudo_require_reauthentication
 - sudo_restrict_privilege_elevation_to_authorized
+- sudoers_default_includedir
 - sudoers_validate_passwd
 - sysctl_crypto_fips_enabled
 - sysctl_fs_protected_hardlinks