From 133d331a04e1ba27324291006c65c2bfa467e49d Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Tue, 1 Feb 2022 16:54:16 +0100 Subject: [PATCH 1/2] Update RHEL-08-010383 to require only one occurrence of a config. The V1R5 release of RHEL8 STIG requires that the configuration should be present only in one configuration file to prevent any ordering problem when the modules loads the configuration using drop-in files that use the lexicographically order of file names. --- .../sudo/sudoers_validate_passwd/ansible/shared.yml | 6 +++--- .../sudo/sudoers_validate_passwd/oval/shared.xml | 12 ++++++------ .../software/sudo/sudoers_validate_passwd/rule.yml | 3 ++- .../tests/sudoers_validate_passwd_duplicates.fail.sh | 7 +++++++ 4 files changed, 18 insertions(+), 10 deletions(-) create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml index 08ffd76aed6..19673634fb3 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml @@ -4,6 +4,6 @@ # complexity = low # disruption = low -{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}} -{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}} -{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}} +{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}} +{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}} +{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}} diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml index 646e6bfb7c0..b3fadd53bee 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml @@ -8,17 +8,17 @@ - - - @@ -26,19 +26,19 @@ ^/etc/sudoers(\.d/.*)?$ ^Defaults !targetpw$\r?\n - 1 + 1 ^/etc/sudoers(\.d/.*)?$ ^Defaults !rootpw$\r?\n - 1 + 1 ^/etc/sudoers(\.d/.*)?$ ^Defaults !runaspw$\r?\n - 1 + 1 diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml index ccc29b77d15..698021d8fd0 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml @@ -42,7 +42,8 @@ ocil_clause: 'invoke user passwd when using sudo' ocil: |- Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
 sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
- If no results are returned, this is a finding + If no results are returned, this is a finding. + If results are returned from more than one file location, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. If "Defaults !runaspw" is not defined, this is a finding. diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh new file mode 100644 index 00000000000..6247b5230e4 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 +# packages = sudo + +echo 'Defaults !targetpw' >> /etc/sudoers +echo 'Defaults !rootpw' >> /etc/sudoers +echo 'Defaults !runaspw' >> /etc/sudoers +echo 'Defaults !runaspw' >> /etc/sudoers From 315b248c77252fc3145cdf34fede98b1a32a7c04 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Wed, 9 Feb 2022 15:24:23 +0100 Subject: [PATCH 2/2] Update remediations of sudoers_validate_passwd to remove duplicates. --- .../ansible/shared.yml | 20 +++++++++++++++++++ .../sudoers_validate_passwd/bash/shared.sh | 12 +++++++++++ .../tests/sudoers_d_duplicate.fail.sh | 9 +++++++++ 3 files changed, 41 insertions(+) create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml index 19673634fb3..399ca1ea3ce 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml @@ -4,6 +4,26 @@ # complexity = low # disruption = low +{{%- macro delete_line_in_sudoers_d(line) %}} +- name: "Find out if /etc/sudoers.d/* files contain {{{ line }}} to be deduplicated" + find: + path: "/etc/sudoers.d" + patterns: "*" + contains: '^{{{ line }}}$' + register: sudoers_d_defaults + +- name: "Remove found occurrences of {{{ line }}} from /etc/sudoers.d/* files" + lineinfile: + path: "{{ item.path }}" + regexp: "^{{{ line }}}$" + state: absent + with_items: "{{ sudoers_d_defaults.files }}" +{{%- endmacro %}} + +{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}} +{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}} +{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}} + {{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}} {{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}} {{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}} diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh index ea0ac67fa1c..3b327f3fc88 100644 --- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh @@ -1,5 +1,17 @@ # platform = multi_platform_all +{{%- macro delete_line_in_sudoers_d(line) %}} +if grep -x '^{{{line}}}$' /etc/sudoers.d/*; then + find /etc/sudoers.d/ -type f -exec sed -i "/{{{line}}}/d" {} \; +fi +{{%- endmacro %}} + +{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}} +{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}} +{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}} + {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}} {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}} {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}} + + diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh new file mode 100644 index 00000000000..a258d108a00 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh @@ -0,0 +1,9 @@ +# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15 +# packages = sudo + +echo 'Defaults !targetpw' >> /etc/sudoers +echo 'Defaults !rootpw' >> /etc/sudoers +echo 'Defaults !runaspw' >> /etc/sudoers +echo 'Defaults !targetpw' >> /etc/sudoers.d/00-complianceascode.conf +echo 'Defaults !rootpw' >> /etc/sudoers.d/00-complianceascode.conf +echo 'Defaults !runaspw' >> /etc/sudoers.d/00-complianceascode.conf