From 573ae69742cf372d41da6c56a3051745326055cd Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Mon, 14 Feb 2022 15:54:37 +0100 Subject: [PATCH] Update RHEL-08-010385 to allow only one occurrence of config. This configuration must appear at only one place so it doesn't get overriden by a different file that can loaded on a different order and the intended configuration is replaced by non-compliant value. --- .../ansible/shared.yml | 36 ++++++++++++++++++ .../bash/shared.sh | 38 +++++++++++++++++++ .../oval/shared.xml | 4 +- .../sudo_require_reauthentication/rule.yml | 14 +------ .../tests/multiple_correct_value.fail.sh | 10 +++++ 5 files changed, 87 insertions(+), 15 deletions(-) create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml new file mode 100644 index 00000000000..b0c67a69af9 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml @@ -0,0 +1,36 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + +{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}} +- name: "Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to be deduplicated" + find: + path: "/etc/sudoers.d" + patterns: "*" + contains: '^[\s]*Defaults\s.*\btimestamp_timeout=.*' + register: sudoers_d_defaults_timestamp_timeout + +- name: "Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files" + lineinfile: + path: "{{ item.path }}" + regexp: '^[\s]*Defaults\s.*\btimestamp_timeout=.*' + state: absent + with_items: "{{ sudoers_d_defaults_timestamp_timeout.files }}" + +- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers + lineinfile: + path: /etc/sudoers + regexp: '^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$' + line: 'Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2' + validate: /usr/sbin/visudo -cf %s + backrefs: yes + register: edit_sudoers_timestamp_timeout_option + +- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers + lineinfile: # noqa 503 + path: /etc/sudoers + line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}' + validate: /usr/sbin/visudo -cf %s + when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh new file mode 100644 index 00000000000..0b623ed4a49 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh @@ -0,0 +1,38 @@ +# platform = multi_platform_all +# reboot = false +# strategy = restrict +# complexity = low +# disruption = low + + +{{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}} + +if grep -x '^[\s]*Defaults.*\btimestamp_timeout=.*' /etc/sudoers.d/*; then + find /etc/sudoers.d/ -type f -exec sed -i "/^[\s]*Defaults.*\btimestamp_timeout=.*/d" {} \; +fi + +if /usr/sbin/visudo -qcf /etc/sudoers; then + cp /etc/sudoers /etc/sudoers.bak + if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then + # sudoers file doesn't define Option timestamp_timeout + echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers + else + # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set + if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then + + sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers + fi + fi + + # Check validity of sudoers and cleanup bak + if /usr/sbin/visudo -qcf /etc/sudoers; then + rm -f /etc/sudoers.bak + else + echo "Fail to validate remediated /etc/sudoers, reverting to original file." + mv /etc/sudoers.bak /etc/sudoers + false + fi +else + echo "Skipping remediation, /etc/sudoers failed to validate" + false +fi diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml index 8f404ca6065..dfc319b6f1f 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml +++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml @@ -6,13 +6,13 @@ - + - /etc/sudoers + ^/etc/sudoers(\.d/.*)?$ ^[\s]*Defaults[\s]+timestamp_timeout=([-]?[\d]+)$ 1 diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml index 42c6e28f9e6..eebb96678f1 100644 --- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml @@ -50,16 +50,4 @@ ocil: |-
sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d
The output should be:
/etc/sudoers:Defaults timestamp_timeout=0
or "timestamp_timeout" is set to a positive number. - -template: - name: sudo_defaults_option - vars: - option: timestamp_timeout - variable_name: "var_sudo_timestamp_timeout" - # optional minus char added so remediation can detect properly if item is already configured - option_regex_suffix: '=[-]?\w+\b' - backends: - # Template is not able to accomodate this particular check. - # It needs to check for an integer greater than or equal to zero - oval: "off" - + If results are returned from more than one file location, this is a finding. diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh new file mode 100644 index 00000000000..a258d6632b5 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh @@ -0,0 +1,10 @@ +#!/bin/bash + + +if grep -q 'timestamp_timeout' /etc/sudoers; then + sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers +else + echo "Defaults timestamp_timeout=3" >> /etc/sudoers +fi + +echo "Defaults timestamp_timeout=3" > /etc/sudoers.d/00-complianceascode-test.conf