commit 804ab7d7e48d3d6a93aab8c99a1b71410553983b Author: Watson Sato Date: Mon Feb 28 11:44:13 2022 +0100 Manual edited patch scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch. diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml new file mode 100644 index 0000000..0d8c9e7 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml @@ -0,0 +1,21 @@ +# platform = multi_platform_all +# reboot = false +# strategy = configure +# complexity = low +# disruption = low + +{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}} +{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}} +- name: "Find out if /etc/sudoers.d/* files contain file or directory includes" + find: + path: "/etc/sudoers.d" + patterns: "*" + contains: '^#include(dir)?\s.*$' + register: sudoers_d_includes + +- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files" + lineinfile: + path: "{{ item.path }}" + regexp: '^#include(dir)?\s.*$' + state: absent + with_items: "{{ sudoers_d_includes.files }}" diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh new file mode 100644 index 0000000..fbff5eb --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh @@ -0,0 +1,21 @@ +# platform = multi_platform_all + +sudoers_config_file="/etc/sudoers" +sudoers_config_dir="/etc/sudoers.d" +sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file") +if [ "$sudoers_includedir_count" -gt 1 ]; then + sed -i "/#includedir.*/d" "$sudoers_config_file" + echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" +elif [ "$sudoers_includedir_count" -eq 0 ]; then + echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" +else + if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then + sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file" + fi +fi + +sed -i "/^#include\s\+.*/d" "$sudoers_config_file" + +if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then + sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/* +fi diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml new file mode 100644 index 0000000..59cab0b --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml @@ -0,0 +1,46 @@ + + + {{{ oval_metadata("Check if sudo includes only the default includedir") }}} + + + + + + + + + + + + + /etc/sudoers + ^#includedir[\s]+(.*)$ + 1 + + + /etc/sudoers.d + + + + + + + /etc/sudoers + ^#include[\s]+.*$ + 1 + + + + + + + /etc/sudoers.d/ + .* + ^#include(dir)?[\s]+.*$ + 1 + + + diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml new file mode 100644 index 0000000..a97bd3e --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml @@ -0,0 +1,40 @@ +documentation_complete: true + +prodtype: fedora,rhel7,rhel8,rhel9 + +title: 'Ensure sudo only includes the default configuration directory' + +description: |- + Administrators can configure authorized sudo users via drop-in files, and it is possible to include + other directories and configuration files from the file currently being parsed. + + Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d. + The /etc/sudoers should contain only one #includedir directive pointing to + /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories. + Note that the '#' character doesn't denote a comment in the configuration file. + +rationale: |- + Some sudo configurtion options allow users to run programs without re-authenticating. + Use of these configuration options makes it easier for one compromised accound to be used to + compromise other accounts. + +severity: medium + +identifiers: + cce@rhel7: CCE-86277-1 + cce@rhel8: CCE-86377-9 + cce@rhel9: CCE-86477-7 + +references: + disa: CCI-000366 + srg: SRG-OS-000480-GPOS-00227 + stigid@rhel8: RHEL-08-010379 + +ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?" + +ocil: |- + To determine whether sudo command includes configuration files from the appropriate directory, + run the following command: + 
$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d
+ If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly. + Any other line returned is a finding. diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh new file mode 100644 index 0000000..ac0c808 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_all + +# Ensure default config is there +if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh new file mode 100644 index 0000000..5bad822 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_all + +# duplicate default entry +if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh new file mode 100644 index 0000000..1e0ab8a --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# platform = multi_platform_all + +sed -i "/#includedir.*/d" /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh new file mode 100644 index 0000000..3f14ecc --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = multi_platform_all + +mkdir -p /etc/sudoers.d +# Ensure default config is there +if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi + +echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh new file mode 100644 index 0000000..8951507 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# platform = multi_platform_all + +mkdir -p /etc/sudoers.d +# Ensure default config is there +if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi + +echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh new file mode 100644 index 0000000..ad04880 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = multi_platform_all + +# Ensure default config is there +if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi + +if ! grep -q "#include " /etc/sudoers; then + echo "#include /etc/my-sudoers" >> /etc/sudoers +fi diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh new file mode 100644 index 0000000..09d14ea --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_all + +# Ensure that there are two different indludedirs +if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi +echo "#includedir /opt/extra_config.d" >> /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh new file mode 100644 index 0000000..55a072a --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = multi_platform_all + +sed -i "/#includedir.*/d" /etc/sudoers +echo "#includedir /opt/extra_config.d" >> /etc/sudoers diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index bfb3753..f5fed4a 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -271,6 +271,9 @@ selections: # RHEL-08-010376 - sysctl_kernel_perf_event_paranoid + # RHEL-08-010379 + - sudoers_default_includedir + # RHEL-08-010380 - sudo_remove_nopasswd diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index ec92589..99bccc7 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -478,7 +478,6 @@ CCE-86373-8 CCE-86374-6 CCE-86375-3 CCE-86376-1 -CCE-86377-9 CCE-86378-7 CCE-86379-5 CCE-86380-3 @@ -576,7 +575,6 @@ CCE-86473-6 CCE-86474-4 CCE-86475-1 CCE-86476-9 -CCE-86477-7 CCE-86478-5 CCE-86479-3 CCE-86480-1 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 2411f02..2dbc2e4 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -360,6 +360,7 @@ selections: - sudo_remove_nopasswd - sudo_require_reauthentication - sudo_restrict_privilege_elevation_to_authorized +- sudoers_default_includedir - sudoers_validate_passwd - sysctl_crypto_fips_enabled - sysctl_fs_protected_hardlinks diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index f0a9601..cd76884 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -371,6 +371,7 @@ selections: - sudo_remove_nopasswd - sudo_require_reauthentication - sudo_restrict_privilege_elevation_to_authorized +- sudoers_default_includedir - sudoers_validate_passwd - sysctl_crypto_fips_enabled - sysctl_fs_protected_hardlinks