From 9243f7615c2656003e4a64c88076d0d660f58580 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 5 Aug 2022 12:45:24 +0200 Subject: [PATCH] Fix rule sudo_custom_logfile - Allow only white space after the Default keyword to avoid matching words that only start with Default. - If the variable value contains slashes they need to be escaped because the sed command uses slashes as a separator, otherwise the sed doesn't replace the wrong line during a remediation. Also adds 2 test scenarios. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2083109 --- .../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +- .../sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh | 4 ++++ .../sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh | 4 ++++ shared/templates/sudo_defaults_option/ansible.template | 2 +- shared/templates/sudo_defaults_option/bash.template | 5 +++-- shared/templates/sudo_defaults_option/oval.template | 2 +- 6 files changed, 14 insertions(+), 5 deletions(-) create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml index 739f5f14936..94fbaaa33ed 100644 --- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml @@ -29,7 +29,7 @@ ocil_clause: 'logfile is not enabled in sudo' ocil: |- To determine if logfile has been configured for sudo, run the following command: -
$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/
+
$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/
The command should return a matching output. template: diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh new file mode 100644 index 00000000000..13ff4559edb --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/broken_defaults.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# platform = multi_platform_all + +echo "Defaultsabc logfile=/var/log/sudo.log" >> /etc/sudoers diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh new file mode 100644 index 00000000000..ec24854f0f9 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/wrong_logfile.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# platform = multi_platform_all + +echo "Defaults logfile=/var/log/othersudologfile.log" >> /etc/sudoers diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template index 094fa430b64..c9e344ec772 100644 --- a/shared/templates/sudo_defaults_option/ansible.template +++ b/shared/templates/sudo_defaults_option/ansible.template @@ -8,7 +8,7 @@ - name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers lineinfile: path: /etc/sudoers - regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?\w+\b(.*)$' + regexp: '^[\s]*Defaults\s(.*)\b{{{ OPTION }}}=[-]?.+\b(.*)$' line: 'Defaults \1{{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}\2' validate: /usr/sbin/visudo -cf %s backrefs: yes diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template index e3563d42db6..e7d962a668d 100644 --- a/shared/templates/sudo_defaults_option/bash.template +++ b/shared/templates/sudo_defaults_option/bash.template @@ -9,7 +9,7 @@ {{% endif %}} if /usr/sbin/visudo -qcf /etc/sudoers; then cp /etc/sudoers /etc/sudoers.bak - if ! grep -P '^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then + if ! grep -P '^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}\b.*$' /etc/sudoers; then # sudoers file doesn't define Option {{{ OPTION }}} echo "Defaults {{{ OPTION_VALUE }}}" >> /etc/sudoers {{%- if not VARIABLE_NAME %}} @@ -21,7 +21,8 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then {{% if '/' in OPTION %}} {{{ raise("OPTION (" + OPTION + ") uses sed path separator (/) in " + rule_id) }}} {{% endif %}} - sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?\w+(\b.*$)/\1{{{ '${' ~ VARIABLE_NAME ~ '}' }}}\2/" /etc/sudoers + escaped_variable={{{ "${" ~ VARIABLE_NAME ~ "//$'/'/$'\/'}" }}} + sed -Ei "s/(^[\s]*Defaults.*\b{{{ OPTION }}}=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers fi fi {{% endif %}} diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template index c0d81c95093..a9636a7204a 100644 --- a/shared/templates/sudo_defaults_option/oval.template +++ b/shared/templates/sudo_defaults_option/oval.template @@ -13,7 +13,7 @@ ^/etc/sudoers(|\.d/.*)$ - ^[\s]*Defaults.*\b{{{ OPTION_REGEX }}}.*$ + ^[\s]*Defaults[\s]*\b{{{ OPTION_REGEX }}}.*$ 1