Blob Blame History Raw
From 133d331a04e1ba27324291006c65c2bfa467e49d Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Tue, 1 Feb 2022 16:54:16 +0100
Subject: [PATCH 1/2] Update RHEL-08-010383 to require only one occurrence of a
 config.

The V1R5 release of RHEL8 STIG requires that the configuration should be
present only in one configuration file to prevent any ordering problem
when the modules loads the configuration using drop-in files that use
the lexicographically order of file names.
---
 .../sudo/sudoers_validate_passwd/ansible/shared.yml  |  6 +++---
 .../sudo/sudoers_validate_passwd/oval/shared.xml     | 12 ++++++------
 .../software/sudo/sudoers_validate_passwd/rule.yml   |  3 ++-
 .../tests/sudoers_validate_passwd_duplicates.fail.sh |  7 +++++++
 4 files changed, 18 insertions(+), 10 deletions(-)
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh

diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
index 08ffd76aed6..19673634fb3 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
@@ -4,6 +4,6 @@
 # complexity = low
 # disruption = low
 
-{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}}
-{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}}
-{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}}
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
index 646e6bfb7c0..b3fadd53bee 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
@@ -8,17 +8,17 @@
       </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
   id="test_sudoers_targetpw_config" version="1">
     <ind:object object_ref="object_test_sudoers_targetpw_config" />
   </ind:textfilecontent54_test>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
   id="test_sudoers_rootpw_config" version="1">
     <ind:object object_ref="object_test_sudoers_rootpw_config" />
   </ind:textfilecontent54_test>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
   id="test_sudoers_runaspw_config" version="1">
     <ind:object object_ref="object_test_sudoers_runaspw_config" />
   </ind:textfilecontent54_test>
@@ -26,19 +26,19 @@
   <ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
     <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
     <ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
     <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
     <ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
     <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
     <ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
 </def-group>
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index ccc29b77d15..698021d8fd0 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -42,7 +42,8 @@ ocil_clause: 'invoke user passwd when using sudo'
 ocil: |-
     Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
     <pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
-    If no results are returned, this is a finding
+    If no results are returned, this is a finding.
+    If results are returned from more than one file location, this is a finding.
     If "Defaults !targetpw" is not defined, this is a finding.
     If "Defaults !rootpw" is not defined, this is a finding.
     If "Defaults !runaspw" is not defined, this is a finding.
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
new file mode 100644
index 00000000000..6247b5230e4
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
+# packages = sudo
+
+echo 'Defaults !targetpw' >> /etc/sudoers
+echo 'Defaults !rootpw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers

From 315b248c77252fc3145cdf34fede98b1a32a7c04 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 9 Feb 2022 15:24:23 +0100
Subject: [PATCH 2/2] Update remediations of sudoers_validate_passwd to remove
 duplicates.

---
 .../ansible/shared.yml                        | 20 +++++++++++++++++++
 .../sudoers_validate_passwd/bash/shared.sh    | 12 +++++++++++
 .../tests/sudoers_d_duplicate.fail.sh         |  9 +++++++++
 3 files changed, 41 insertions(+)
 create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh

diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
index 19673634fb3..399ca1ea3ce 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
@@ -4,6 +4,26 @@
 # complexity = low
 # disruption = low
 
+{{%- macro delete_line_in_sudoers_d(line) %}}
+- name: "Find out if /etc/sudoers.d/* files contain {{{ line }}} to be deduplicated"
+  find:
+    path: "/etc/sudoers.d"
+    patterns: "*"
+    contains: '^{{{ line }}}$'
+  register: sudoers_d_defaults
+
+- name: "Remove found occurrences of {{{ line }}} from /etc/sudoers.d/* files"
+  lineinfile:
+    path: "{{ item.path }}"
+    regexp: "^{{{ line }}}$"
+    state: absent
+  with_items: "{{ sudoers_d_defaults.files }}"
+{{%- endmacro %}}
+
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
+
 {{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
 {{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
 {{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
index ea0ac67fa1c..3b327f3fc88 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
@@ -1,5 +1,17 @@
 # platform = multi_platform_all
 
+{{%- macro delete_line_in_sudoers_d(line) %}}
+if grep -x '^{{{line}}}$' /etc/sudoers.d/*; then
+    find /etc/sudoers.d/ -type f -exec sed -i "/{{{line}}}/d" {} \;
+fi
+{{%- endmacro %}}
+
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
+
 {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
 {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
 {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
+
+
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
new file mode 100644
index 00000000000..a258d108a00
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
+# packages = sudo
+
+echo 'Defaults !targetpw' >> /etc/sudoers
+echo 'Defaults !rootpw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers
+echo 'Defaults !targetpw' >> /etc/sudoers.d/00-complianceascode.conf
+echo 'Defaults !rootpw' >> /etc/sudoers.d/00-complianceascode.conf
+echo 'Defaults !runaspw' >> /etc/sudoers.d/00-complianceascode.conf