From 80cee70a289588a9dc7c8f9431f073c4ce54c5f7 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 20 Apr 2021 11:32:54 +0200 Subject: [PATCH 01/10] add rhel7 stig references and update description --- linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml | 9 ++++++++- shared/references/cce-redhat-avail.txt | 1 - 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index db1d4fc79cb..d13d24dc229 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -2,13 +2,16 @@ documentation_complete: true title: 'The operating system must restrict privilege elevation to authorized personnel' -prodtype: sle15 +prodtype: ol7,rhel7,sle15 description: |- The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. + Restrict privileged actions by removing the following entries from the sudoers file: + ALL ALL=(ALL) ALL + ALL ALL=(ALL:ALL) ALL rationale: |- If the "sudoers" file is not configured correctly, any user defined @@ -18,11 +21,15 @@ severity: medium identifiers: cce@sle15: CCE-85712-8 + cce@rhel7: CCE-83423-4 references: nist: CM-6(b),CM-6(iv) disa@sle15: CCI-000366 stig@sle15: SLES-15-020101 + disa@rhel7: CCI-000366 + stigid@rhel7: RHEL-07-010341 + srg: SRG-OS-000480-GPOS-00227 ocil_clause: '/etc/sudoers file does not restrict sudo access to authorized personnel' diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 7ad068fc611..257b07d1f0b 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -7,7 +7,6 @@ CCE-83407-7 CCE-83421-8 CCE-83422-6 -CCE-83423-4 CCE-83425-9 CCE-83426-7 CCE-83428-3 From 277abe35785e38337d8c17d46b8ca0372eac2f6d Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 20 Apr 2021 11:36:33 +0200 Subject: [PATCH 02/10] fix sle15 reference --- linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index d13d24dc229..73812cccd83 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -26,7 +26,7 @@ identifiers: references: nist: CM-6(b),CM-6(iv) disa@sle15: CCI-000366 - stig@sle15: SLES-15-020101 + stigid@sle15: SLES-15-020101 disa@rhel7: CCI-000366 stigid@rhel7: RHEL-07-010341 srg: SRG-OS-000480-GPOS-00227 From d3c3c0eea1d8eac57fc517ec9209854f2ae23353 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 20 Apr 2021 11:36:56 +0200 Subject: [PATCH 03/10] add rule to the profile --- rhel7/profiles/stig.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile index fc4dbb12e11..b0def70fd01 100644 --- a/rhel7/profiles/stig.profile +++ b/rhel7/profiles/stig.profile @@ -104,6 +104,7 @@ selections: - accounts_passwords_pam_faillock_deny - accounts_passwords_pam_faillock_deny_root - sudo_remove_nopasswd + - sudo_restrict_privilege_elevation_to_authorized - sudo_remove_no_authenticate - accounts_logon_fail_delay - gnome_gdm_disable_automatic_login From a22162a02358b15d840fba8a57eb5b3006ed67e4 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 20 Apr 2021 11:49:46 +0200 Subject: [PATCH 04/10] update test applicability --- linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh | 1 + linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh | 2 +- linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh index bc1f7aaf5a5..74aa21c68c8 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh @@ -1,3 +1,4 @@ +#!/bin/bash # platform = SUSE Linux Enterprise 15 # packages = sudo diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh index 9d38ecc7f92..50f6eb51dee 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh @@ -1,4 +1,4 @@ -# platform = SUSE Linux Enterprise 15 +#!/bin/bash # packages = sudo echo 'user ALL=(admin) ALL' > /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh index f5f156829b8..4471436cada 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh @@ -1,4 +1,4 @@ -# platform = SUSE Linux Enterprise 15 +#!/bin/bash # packages = sudo # remediation = none From 32de49c5dafdd1e8c1bb6e70b99b72ae10574060 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 20 Apr 2021 11:57:00 +0200 Subject: [PATCH 05/10] update rule also for rhel8 --- linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml | 6 +++++- shared/references/cce-redhat-avail.txt | 1 - 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index 73812cccd83..aea61df80d2 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -2,7 +2,7 @@ documentation_complete: true title: 'The operating system must restrict privilege elevation to authorized personnel' -prodtype: ol7,rhel7,sle15 +prodtype: ol7,ol8,rhel7,rhel8,sle15 description: |- The sudo command allows a user to execute programs with elevated @@ -22,6 +22,8 @@ severity: medium identifiers: cce@sle15: CCE-85712-8 cce@rhel7: CCE-83423-4 + cce@rhel8: CCE-83425-9 + references: nist: CM-6(b),CM-6(iv) @@ -30,6 +32,8 @@ references: disa@rhel7: CCI-000366 stigid@rhel7: RHEL-07-010341 srg: SRG-OS-000480-GPOS-00227 + disa@rhel8: CCI-000366 + stigid@rhel8: RHEL-08-010382 ocil_clause: '/etc/sudoers file does not restrict sudo access to authorized personnel' diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 257b07d1f0b..ec8e90215f4 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -6,7 +6,6 @@ CCE-83407-7 CCE-83421-8 CCE-83422-6 -CCE-83425-9 CCE-83426-7 CCE-83428-3 CCE-83429-1 From 8505b5e209281f13c00581904ccc6410c76b3333 Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 20 Apr 2021 12:13:01 +0200 Subject: [PATCH 07/10] update one more test applicability --- linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh index 74aa21c68c8..8547be4d6f6 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh @@ -1,5 +1,4 @@ #!/bin/bash -# platform = SUSE Linux Enterprise 15 # packages = sudo echo 'ALL ALL=(ALL) ALL' > /etc/sudoers