2022-05-10 07:07:44 +00:00
|
|
|
From 573ae69742cf372d41da6c56a3051745326055cd Mon Sep 17 00:00:00 2001
|
2022-04-26 13:52:49 +00:00
|
|
|
From: Gabriel Becker <ggasparb@redhat.com>
|
2022-05-10 07:07:44 +00:00
|
|
|
Date: Mon, 14 Feb 2022 15:54:37 +0100
|
|
|
|
Subject: [PATCH] Update RHEL-08-010385 to allow only one occurrence of config.
|
2022-04-26 13:52:49 +00:00
|
|
|
|
2022-05-10 07:07:44 +00:00
|
|
|
This configuration must appear at only one place so it doesn't get
|
|
|
|
overriden by a different file that can loaded on a different order and
|
|
|
|
the intended configuration is replaced by non-compliant value.
|
2022-04-26 13:52:49 +00:00
|
|
|
---
|
2022-05-10 07:07:44 +00:00
|
|
|
.../ansible/shared.yml | 36 ++++++++++++++++++
|
|
|
|
.../bash/shared.sh | 38 +++++++++++++++++++
|
2022-04-26 13:52:49 +00:00
|
|
|
.../oval/shared.xml | 4 +-
|
|
|
|
.../sudo_require_reauthentication/rule.yml | 14 +------
|
|
|
|
.../tests/multiple_correct_value.fail.sh | 10 +++++
|
2022-05-10 07:07:44 +00:00
|
|
|
5 files changed, 87 insertions(+), 15 deletions(-)
|
2022-04-26 13:52:49 +00:00
|
|
|
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
|
|
|
|
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
|
|
|
|
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
|
|
|
|
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
|
|
|
|
new file mode 100644
|
2022-05-10 07:07:44 +00:00
|
|
|
index 00000000000..b0c67a69af9
|
2022-04-26 13:52:49 +00:00
|
|
|
--- /dev/null
|
|
|
|
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
|
|
|
|
@@ -0,0 +1,36 @@
|
|
|
|
+# platform = multi_platform_all
|
|
|
|
+# reboot = false
|
|
|
|
+# strategy = restrict
|
|
|
|
+# complexity = low
|
|
|
|
+# disruption = low
|
|
|
|
+
|
|
|
|
+{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}}
|
|
|
|
+- name: "Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to be deduplicated"
|
|
|
|
+ find:
|
|
|
|
+ path: "/etc/sudoers.d"
|
|
|
|
+ patterns: "*"
|
|
|
|
+ contains: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
|
|
|
|
+ register: sudoers_d_defaults_timestamp_timeout
|
|
|
|
+
|
|
|
|
+- name: "Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files"
|
|
|
|
+ lineinfile:
|
|
|
|
+ path: "{{ item.path }}"
|
|
|
|
+ regexp: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
|
|
|
|
+ state: absent
|
|
|
|
+ with_items: "{{ sudoers_d_defaults_timestamp_timeout.files }}"
|
|
|
|
+
|
|
|
|
+- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers
|
|
|
|
+ lineinfile:
|
|
|
|
+ path: /etc/sudoers
|
|
|
|
+ regexp: '^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$'
|
|
|
|
+ line: 'Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2'
|
|
|
|
+ validate: /usr/sbin/visudo -cf %s
|
|
|
|
+ backrefs: yes
|
|
|
|
+ register: edit_sudoers_timestamp_timeout_option
|
|
|
|
+
|
|
|
|
+- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers
|
|
|
|
+ lineinfile: # noqa 503
|
|
|
|
+ path: /etc/sudoers
|
|
|
|
+ line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}'
|
|
|
|
+ validate: /usr/sbin/visudo -cf %s
|
|
|
|
+ when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
|
|
|
|
new file mode 100644
|
2022-05-10 07:07:44 +00:00
|
|
|
index 00000000000..0b623ed4a49
|
2022-04-26 13:52:49 +00:00
|
|
|
--- /dev/null
|
|
|
|
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
|
2022-05-10 07:07:44 +00:00
|
|
|
@@ -0,0 +1,38 @@
|
2022-04-26 13:52:49 +00:00
|
|
|
+# platform = multi_platform_all
|
|
|
|
+# reboot = false
|
|
|
|
+# strategy = restrict
|
|
|
|
+# complexity = low
|
|
|
|
+# disruption = low
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+{{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}}
|
|
|
|
+
|
|
|
|
+if grep -x '^[\s]*Defaults.*\btimestamp_timeout=.*' /etc/sudoers.d/*; then
|
|
|
|
+ find /etc/sudoers.d/ -type f -exec sed -i "/^[\s]*Defaults.*\btimestamp_timeout=.*/d" {} \;
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+if /usr/sbin/visudo -qcf /etc/sudoers; then
|
|
|
|
+ cp /etc/sudoers /etc/sudoers.bak
|
|
|
|
+ if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then
|
|
|
|
+ # sudoers file doesn't define Option timestamp_timeout
|
|
|
|
+ echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
|
|
|
|
+ else
|
|
|
|
+ # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
|
|
|
|
+ if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then
|
|
|
|
+
|
|
|
|
+ sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
|
|
|
|
+ fi
|
|
|
|
+ fi
|
|
|
|
+
|
|
|
|
+ # Check validity of sudoers and cleanup bak
|
|
|
|
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
|
|
|
|
+ rm -f /etc/sudoers.bak
|
|
|
|
+ else
|
|
|
|
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
|
|
|
|
+ mv /etc/sudoers.bak /etc/sudoers
|
|
|
|
+ false
|
|
|
|
+ fi
|
|
|
|
+else
|
|
|
|
+ echo "Skipping remediation, /etc/sudoers failed to validate"
|
|
|
|
+ false
|
|
|
|
+fi
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
|
2022-05-10 07:07:44 +00:00
|
|
|
index 8f404ca6065..dfc319b6f1f 100644
|
2022-04-26 13:52:49 +00:00
|
|
|
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
|
|
|
|
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
|
|
|
|
@@ -6,13 +6,13 @@
|
|
|
|
</criteria>
|
|
|
|
</definition>
|
|
|
|
|
|
|
|
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
|
|
|
|
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
|
|
|
|
<ind:object object_ref="obj_sudo_timestamp_timeout"/>
|
|
|
|
<ind:state state_ref="state_sudo_timestamp_timeout" />
|
|
|
|
</ind:textfilecontent54_test>
|
|
|
|
|
|
|
|
<ind:textfilecontent54_object id="obj_sudo_timestamp_timeout" version="1">
|
|
|
|
- <ind:filepath>/etc/sudoers</ind:filepath>
|
|
|
|
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
|
|
|
<ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout=([-]?[\d]+)$</ind:pattern>
|
|
|
|
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
|
|
|
|
</ind:textfilecontent54_object>
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
2022-05-10 07:07:44 +00:00
|
|
|
index 42c6e28f9e6..eebb96678f1 100644
|
2022-04-26 13:52:49 +00:00
|
|
|
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
|
|
|
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
|
2022-05-10 07:07:44 +00:00
|
|
|
@@ -50,16 +50,4 @@ ocil: |-
|
2022-04-26 13:52:49 +00:00
|
|
|
<pre>sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d</pre>
|
|
|
|
The output should be:
|
|
|
|
<pre>/etc/sudoers:Defaults timestamp_timeout=0</pre> or "timestamp_timeout" is set to a positive number.
|
|
|
|
-
|
|
|
|
-template:
|
|
|
|
- name: sudo_defaults_option
|
|
|
|
- vars:
|
|
|
|
- option: timestamp_timeout
|
|
|
|
- variable_name: "var_sudo_timestamp_timeout"
|
|
|
|
- # optional minus char added so remediation can detect properly if item is already configured
|
|
|
|
- option_regex_suffix: '=[-]?\w+\b'
|
|
|
|
- backends:
|
|
|
|
- # Template is not able to accomodate this particular check.
|
|
|
|
- # It needs to check for an integer greater than or equal to zero
|
|
|
|
- oval: "off"
|
|
|
|
-
|
|
|
|
+ If results are returned from more than one file location, this is a finding.
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
|
|
|
|
new file mode 100644
|
2022-05-10 07:07:44 +00:00
|
|
|
index 00000000000..a258d6632b5
|
2022-04-26 13:52:49 +00:00
|
|
|
--- /dev/null
|
|
|
|
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
|
|
|
|
@@ -0,0 +1,10 @@
|
|
|
|
+#!/bin/bash
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+if grep -q 'timestamp_timeout' /etc/sudoers; then
|
|
|
|
+ sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers
|
|
|
|
+else
|
|
|
|
+ echo "Defaults timestamp_timeout=3" >> /etc/sudoers
|
|
|
|
+fi
|
|
|
|
+
|
|
|
|
+echo "Defaults timestamp_timeout=3" > /etc/sudoers.d/00-complianceascode-test.conf
|