From 19bd5adfd804590b15e42cc75287b792706286d5 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 10 Feb 2022 15:25:06 +0100 Subject: [PATCH 1/9] Add rule to check for default sudoers includedir This rule supports RHEL-08-010379. --- .../ansible/shared.yml | 7 ++++ .../sudoers_default_includedir/bash/shared.sh | 11 ++++++ .../oval/shared.xml | 23 +++++++++++ .../sudo/sudoers_default_includedir/rule.yml | 38 +++++++++++++++++++ .../tests/default_includedir.pass.sh | 7 ++++ .../tests/duplicate_includedir.fail.sh | 7 ++++ .../tests/no_includedir.fail.sh | 4 ++ .../tests/two_includedir.fail.sh | 8 ++++ shared/references/cce-redhat-avail.txt | 3 -- 9 files changed, 105 insertions(+), 3 deletions(-) create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml new file mode 100644 index 00000000000..d9d5933285f --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml @@ -0,0 +1,7 @@ +# platform = multi_platform_all +# # reboot = false +# # strategy = configure +# # complexity = low +# # disruption = low + +{{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}} diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh new file mode 100644 index 00000000000..3a9e2da985b --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh @@ -0,0 +1,11 @@ +# platform = multi_platform_all + +sudoers_config_file="/etc/sudoers" +sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file") +if [ "$sudoers_includedir_count" -gt 1 ]; then + sed -i "/#includedir.*/d" "$sudoers_config_file" + echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" +fi +if [ "$sudoers_includedir_count" -eq 0 ]; then + echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" +fi diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml new file mode 100644 index 00000000000..5618c64291c --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml @@ -0,0 +1,23 @@ + + + {{{ oval_metadata("Check if sudo includes only the default includedir") }}} + + + + + + + + + + + /etc/sudoers + ^#includedir[\s]+(.*)$ + 1 + + + /etc/sudoers.d + + + diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml new file mode 100644 index 00000000000..5c33121f911 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml @@ -0,0 +1,38 @@ +documentation_complete: true + +prodtype: fedora,rhel7,rhel8,rhel9 + +title: 'Ensure sudo only includes the default configuration directory' + +description: |- + Administrators can configure authorized sudo users via drop-in files, and it is possible to include + other directories and configuration files from the file currently being parsed. + + Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d. + The /etc/sudoers should contain only one #includedir directive pointing to + /etc/sudoers.d + Note that the '#' character doesn't denote a comment in the configuration file. + +rationale: |- + Some sudo configurtion options allow users to run programs without re-authenticating. + Use of these configuration options makes it easier for one compromised accound to be used to + compromise other accounts. + +severity: medium + +identifiers: + cce@rhel7: CCE-86277-1 + cce@rhel8: CCE-86377-9 + cce@rhel9: CCE-86477-7 + +references: + disa: CCI-000366 + stigid@rhel8: RHEL-08-010379 + +ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?" + +ocil: |- + To determine whether sudo command includes configuration files from the appropriate directory, + run the following command: +
$ sudo grep 'include' /etc/sudoers
+ If only the line #includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly. diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh new file mode 100644 index 00000000000..ac0c808ccd6 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/default_includedir.pass.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_all + +# Ensure default config is there +if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh new file mode 100644 index 00000000000..5bad8225625 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/duplicate_includedir.fail.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# platform = multi_platform_all + +# duplicate default entry +if grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh new file mode 100644 index 00000000000..1e0ab8aea92 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# platform = multi_platform_all + +sed -i "/#includedir.*/d" /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh new file mode 100644 index 00000000000..09d14eab630 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/two_includedir.fail.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# platform = multi_platform_all + +# Ensure that there are two different indludedirs +if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi +echo "#includedir /opt/extra_config.d" >> /etc/sudoers diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 41caad9f0d0..f2990adb537 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -340,7 +340,6 @@ CCE-86273-0 CCE-86274-8 CCE-86275-5 CCE-86276-3 -CCE-86277-1 CCE-86278-9 CCE-86279-7 CCE-86281-3 @@ -428,7 +427,6 @@ CCE-86373-8 CCE-86374-6 CCE-86375-3 CCE-86376-1 -CCE-86377-9 CCE-86378-7 CCE-86379-5 CCE-86380-3 @@ -524,7 +522,6 @@ CCE-86473-6 CCE-86474-4 CCE-86475-1 CCE-86476-9 -CCE-86477-7 CCE-86478-5 CCE-86479-3 CCE-86480-1 From 99fe46922243e8dff5822e2ed6eb49addd000baa Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 10 Feb 2022 16:21:46 +0100 Subject: [PATCH 2/9] Select rule in RHEL8 STIG Select sudoers_default_indludedir aligning to RHEL8 STIG V1R5 --- products/rhel8/profiles/stig.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index d92bc72971c..e13bda7a787 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -271,6 +271,9 @@ selections: # RHEL-08-010376 - sysctl_kernel_perf_event_paranoid + # RHEL-08-010379 + - sudoers_default_includedir + # RHEL-08-010380 - sudo_remove_nopasswd From 3686fe72a6e27049f1c46d0a4efa07e1b42b6a20 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Thu, 10 Feb 2022 17:26:59 +0100 Subject: [PATCH 3/9] Add test and fix for case when the single includedir is wrong --- .../sudo/sudoers_default_includedir/bash/shared.sh | 7 +++++-- .../tests/wrong_includedir.fail.sh | 5 +++++ 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh index 3a9e2da985b..258af02c121 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh @@ -5,7 +5,10 @@ sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file") if [ "$sudoers_includedir_count" -gt 1 ]; then sed -i "/#includedir.*/d" "$sudoers_config_file" echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" -fi -if [ "$sudoers_includedir_count" -eq 0 ]; then +elif [ "$sudoers_includedir_count" -eq 0 ]; then echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" +else + if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then + sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers + fi fi diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh new file mode 100644 index 00000000000..55a072adf3c --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/wrong_includedir.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# platform = multi_platform_all + +sed -i "/#includedir.*/d" /etc/sudoers +echo "#includedir /opt/extra_config.d" >> /etc/sudoers From 0b20b495ed82cead1a033170b900c13da5260603 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 14 Feb 2022 14:50:11 +0100 Subject: [PATCH 4/9] Add tests for sudo file and dir includes in /etc/sudoers.d --- .../tests/sudoers.d_with_include.fail.sh | 9 +++++++++ .../tests/sudoers.d_with_includedir.fail.sh | 9 +++++++++ .../tests/sudoers_with_include.fail.sh | 11 +++++++++++ 3 files changed, 29 insertions(+) create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh create mode 100644 linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh new file mode 100644 index 00000000000..554ef2e060d --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = multi_platform_all + +# Ensure default config is there +if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi + +echo "#include /etc/my-sudoers" > /etc/sudoers.d/my-sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh new file mode 100644 index 00000000000..516b68b5a3e --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh @@ -0,0 +1,9 @@ +#!/bin/bash +# platform = multi_platform_all + +# Ensure default config is there +if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi + +echo "#includedir /etc/my-sudoers.d" > /etc/sudoers.d/my-sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh new file mode 100644 index 00000000000..ad04880e334 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers_with_include.fail.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# platform = multi_platform_all + +# Ensure default config is there +if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then + echo "#includedir /etc/sudoers.d" >> /etc/sudoers +fi + +if ! grep -q "#include " /etc/sudoers; then + echo "#include /etc/my-sudoers" >> /etc/sudoers +fi From d91e3eefe6c265c27634cb15b0f276a298f81645 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 14 Feb 2022 14:59:18 +0100 Subject: [PATCH 5/9] Update rule catch and remove other sudo includes Any other #include or #includedir besides: "/etc/sudoers: #includedir /etc/sudoers.d" should be removed. --- .../ansible/shared.yml | 14 +++++++++++ .../sudoers_default_includedir/bash/shared.sh | 7 ++++-- .../oval/shared.xml | 23 +++++++++++++++++++ .../sudo/sudoers_default_includedir/rule.yml | 7 +++--- 4 files changed, 46 insertions(+), 5 deletions(-) diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml index d9d5933285f..175a447e0d9 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml @@ -5,3 +5,17 @@ # # disruption = low {{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}} +{{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}} +- name: "Find out if /etc/sudoers.d/* files contain file or directory includes" + find: + path: "/etc/sudoers.d" + patterns: "*" + contains: '^#include(dir)?\s.*$' + register: sudoers_d_includes + +- name: "Remove found occurrences of file and directory inclues from /etc/sudoers.d/* files" + lineinfile: + path: "{{ item.path }}" + regexp: '^#include(dir)?\s.*$' + state: absent + with_items: "{{ sudoers_d_includes.files }}" diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh index 258af02c121..2d00b471677 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh @@ -1,6 +1,7 @@ # platform = multi_platform_all sudoers_config_file="/etc/sudoers" +sudoers_config_dir="/etc/sudoers.d" sudoers_includedir_count=$(grep -c "#includedir" "$sudoers_config_file") if [ "$sudoers_includedir_count" -gt 1 ]; then sed -i "/#includedir.*/d" "$sudoers_config_file" @@ -8,7 +9,9 @@ if [ "$sudoers_includedir_count" -gt 1 ]; then elif [ "$sudoers_includedir_count" -eq 0 ]; then echo "#includedir /etc/sudoers.d" >> "$sudoers_config_file" else - if ! grep -q "^#includedir /etc/sudoers.d" /etc/sudoers; then - sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" /etc/sudoers + if ! grep -q "^#includedir /etc/sudoers.d" "$sudoers_config_file"; then + sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file" fi fi +sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/* +sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/* diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml index 5618c64291c..59cab0b89de 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml @@ -3,6 +3,8 @@ {{{ oval_metadata("Check if sudo includes only the default includedir") }}} + + @@ -20,4 +22,25 @@ /etc/sudoers.d + + + + + /etc/sudoers + ^#include[\s]+.*$ + 1 + + + + + + + /etc/sudoers.d/ + .* + ^#include(dir)?[\s]+.*$ + 1 + + diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml index 5c33121f911..3a8c22ac8af 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml @@ -10,7 +10,7 @@ description: |- Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d. The /etc/sudoers should contain only one #includedir directive pointing to - /etc/sudoers.d + /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories. Note that the '#' character doesn't denote a comment in the configuration file. rationale: |- @@ -34,5 +34,6 @@ ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other ocil: |- To determine whether sudo command includes configuration files from the appropriate directory, run the following command: -
$ sudo grep 'include' /etc/sudoers
- If only the line #includedir /etc/sudoers> is returned, then the drop-in file configuration is set correctly. +
$ sudo grep -rP '^#include(dir)?' /etc/sudoers /etc/sudoers.d
+ If only the line /etc/sudoers:#includedir /etc/sudoers.d is returned, then the drop-in include configuration is set correctly. + Any other line returned is a finding. From ead72b744f1fc03893184079c079df27780044c2 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 14 Feb 2022 15:00:46 +0100 Subject: [PATCH 6/9] Add SRG to sudoers_default_includedir --- .../system/software/sudo/sudoers_default_includedir/rule.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml index 3a8c22ac8af..a97bd3efb2c 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml @@ -27,6 +27,7 @@ identifiers: references: disa: CCI-000366 + srg: SRG-OS-000480-GPOS-00227 stigid@rhel8: RHEL-08-010379 ocil_clause: "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?" From c1a08fe6b8e6388b89b190ca74e57af06e7c999c Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 14 Feb 2022 16:12:32 +0100 Subject: [PATCH 7/9] Update RHEL8 STIG profile stability data --- tests/data/profile_stability/rhel8/stig.profile | 1 + tests/data/profile_stability/rhel8/stig_gui.profile | 1 + 2 files changed, 2 insertions(+) diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index e4fee44f9f9..974b28757e9 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -365,6 +365,7 @@ selections: - sudo_remove_nopasswd - sudo_require_reauthentication - sudo_restrict_privilege_elevation_to_authorized +- sudoers_default_includedir - sudoers_validate_passwd - sysctl_crypto_fips_enabled - sysctl_fs_protected_hardlinks diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 83d04775e3a..99e0af4f5a6 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -376,6 +376,7 @@ selections: - sudo_remove_nopasswd - sudo_require_reauthentication - sudo_restrict_privilege_elevation_to_authorized +- sudoers_default_includedir - sudoers_validate_passwd - sysctl_crypto_fips_enabled - sysctl_fs_protected_hardlinks From adae3ecbda4362e23cd1f30e053db37d6a1d403b Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 14 Feb 2022 16:59:22 +0100 Subject: [PATCH 8/9] Fix Ansible remediation metadata --- .../sudo/sudoers_default_includedir/ansible/shared.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml index 175a447e0d9..0d8c9e75184 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/ansible/shared.yml @@ -1,8 +1,8 @@ # platform = multi_platform_all -# # reboot = false -# # strategy = configure -# # complexity = low -# # disruption = low +# reboot = false +# strategy = configure +# complexity = low +# disruption = low {{{ ansible_only_lineinfile(msg='Ensure sudo only has the default includedir', line_regex='^#includedir.*$', path='/etc/sudoers', new_line='#includedir /etc/sudoers.d') }}} {{{ ansible_lineinfile(msg='Ensure sudoers doesn\'t include other non-default file', regex='^#include[\s]+.*$', path='/etc/sudoers', state='absent') }}} From d3f048456908b316c0dcc0bff2328cf87fe6e7de Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Mon, 14 Feb 2022 17:39:39 +0100 Subject: [PATCH 9/9] Handle case when /etc/sudoers.d doesn't exist The remediation skips the directory, and the test scenarios create the dir to ensure the test scenario works. --- .../sudo/sudoers_default_includedir/bash/shared.sh | 8 ++++++-- .../tests/sudoers.d_with_include.fail.sh | 1 + .../tests/sudoers.d_with_includedir.fail.sh | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh index 2d00b471677..fbff5eb6f30 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/bash/shared.sh @@ -13,5 +13,9 @@ else sed -i "s|^#includedir.*|#includedir /etc/sudoers.d|g" "$sudoers_config_file" fi fi -sed -i "/^#include\s\+.*/d" "$sudoers_config_file" "${sudoers_config_dir}"/* -sed -i "/^#includedir\s\+.*/d" "${sudoers_config_dir}"/* + +sed -i "/^#include\s\+.*/d" "$sudoers_config_file" + +if grep -Pr "^#include(dir)? .*" "$sudoers_config_dir" ; then + sed -i "/^#include\(dir\)\?\s\+.*/d" "$sudoers_config_dir"/* +fi diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh index 554ef2e060d..3f14ecc1627 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_include.fail.sh @@ -1,6 +1,7 @@ #!/bin/bash # platform = multi_platform_all +mkdir -p /etc/sudoers.d # Ensure default config is there if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then echo "#includedir /etc/sudoers.d" >> /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh index 516b68b5a3e..89515076ff1 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/sudoers.d_with_includedir.fail.sh @@ -1,6 +1,7 @@ #!/bin/bash # platform = multi_platform_all +mkdir -p /etc/sudoers.d # Ensure default config is there if ! grep -q "#includedir /etc/sudoers.d" /etc/sudoers; then echo "#includedir /etc/sudoers.d" >> /etc/sudoers