From 5d3bcea7c2927f449fbd82074a62425bad89e605 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Sun, 30 May 2021 19:16:11 +0100
Subject: [PATCH 1/5] Add sudo custom logfile control for RHEL 8 CIS

---
 .../sudo/sudo_custom_logfile/rule.yml         | 20 +++++++++++++++++++
 .../system/software/sudo/var_sudo_logfile.var | 16 +++++++++++++++
 rhel8/profiles/cis.profile                    |  2 +-
 3 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
 create mode 100644 linux_os/guide/system/software/sudo/var_sudo_logfile.var

diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
new file mode 100644
index 00000000000..5571c92a679
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -0,0 +1,20 @@
+documentation_complete: true
+
+title: 'Ensure Sudo Logfile Exists - sudo logfile'
+
+description: |-
+    A custom logfile can be configured for sudo with the logfile tag.
+
+rationale: |-
+    A sudo log file simplifies auditing of sudo commands.
+
+severity: medium
+
+identifiers:
+    cis@rhel8: 1.3.3
+
+template:
+    name: sudo_defaults_option
+    vars:
+        option: logfile
+        variable_name: var_sudo_logfile
diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
new file mode 100644
index 00000000000..65b23b5f3c2
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
@@ -0,0 +1,16 @@
+documentation_complete: true
+
+title: 'Sudo - logfile value'
+
+description: |-
+    Specify the sudo logfile to use. The default value used here matches the example
+    location from CIS, which uses /var/log/sudo.log.
+
+interactive: false
+
+type: string
+
+operator: equals
+
+options:
+    default: "/var/log/sudo.log"
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
index ec9cbfa0a3d..411083d6e71 100644
--- a/rhel8/profiles/cis.profile
+++ b/rhel8/profiles/cis.profile
@@ -132,7 +132,7 @@ selections:
     # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5220
 
     ### 1.3.3 Ensure sudo log file exists (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5221
+    - sudo_custom_logfile
 
     ## 1.4 Filesystem Integrity Checking
 

From da0883992ba7e712f805b86e5b7c96162aed93ec Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Sun, 30 May 2021 20:46:58 +0100
Subject: [PATCH 2/5] Update rule with OCIL parameters

---
 .../system/software/sudo/sudo_custom_logfile/rule.yml    | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
index 5571c92a679..de0ecb98a76 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -8,11 +8,18 @@ description: |-
 rationale: |-
     A sudo log file simplifies auditing of sudo commands.
 
-severity: medium
+severity: low
 
 identifiers:
     cis@rhel8: 1.3.3
 
+ocil_clause: 'logfile is not enabled in sudo'
+
+ocil: |-
+    To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
+    <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
+    The command should return a matching output.
+
 template:
     name: sudo_defaults_option
     vars:

From 2b6721b3e3858d75f27d7ad8395a79a1ce68bc73 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Mon, 31 May 2021 11:44:13 +0100
Subject: [PATCH 3/5] Use references field for CIS rather than identifiers

---
 .../guide/system/software/sudo/sudo_custom_logfile/rule.yml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
index de0ecb98a76..afce7f1867c 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -10,7 +10,7 @@ rationale: |-
 
 severity: low
 
-identifiers:
+references:
     cis@rhel8: 1.3.3
 
 ocil_clause: 'logfile is not enabled in sudo'

From ee4ed67f0f9e246b20098d60efed7e20bc7b7a13 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 1 Jun 2021 11:28:08 +0100
Subject: [PATCH 4/5] Add missing CCE identifiers to sudo logfile rule

---
 .../system/software/sudo/sudo_custom_logfile/rule.yml    | 9 ++++++++-
 shared/references/cce-redhat-avail.txt                   | 2 --
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
index afce7f1867c..d08b7891293 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
@@ -3,14 +3,21 @@ documentation_complete: true
 title: 'Ensure Sudo Logfile Exists - sudo logfile'
 
 description: |-
-    A custom logfile can be configured for sudo with the logfile tag.
+    A custom log sudo file can be configured with the 'logfile' tag. This rule configures
+    a sudo custom logfile at the default location suggested by CIS, which uses
+    /var/log/sudo.log.
 
 rationale: |-
     A sudo log file simplifies auditing of sudo commands.
 
 severity: low
 
+identifiers:
+    cce@rhel7: CCE-83600-7
+    cce@rhel8: CCE-83601-5
+
 references:
+    cis@rhel7: 5.2.3
     cis@rhel8: 1.3.3
 
 ocil_clause: 'logfile is not enabled in sudo'
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ae54d0ee0b2..e74b6779509 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -94,8 +94,6 @@ CCE-83594-2
 CCE-83595-9
 CCE-83596-7
 CCE-83599-1
-CCE-83600-7
-CCE-83601-5
 CCE-83606-4
 CCE-83608-0
 CCE-83609-8

From 298533e0e7360752737b24deb07903c04b33bc21 Mon Sep 17 00:00:00 2001
From: Alex Haydock <alex@alexhaydock.co.uk>
Date: Tue, 1 Jun 2021 16:19:45 +0100
Subject: [PATCH 5/5] Allow users to override sudo logfile location with
 tailoring

---
 linux_os/guide/system/software/sudo/var_sudo_logfile.var | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
index 65b23b5f3c2..7c5d02d37eb 100644
--- a/linux_os/guide/system/software/sudo/var_sudo_logfile.var
+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
@@ -6,7 +6,7 @@ description: |-
     Specify the sudo logfile to use. The default value used here matches the example
     location from CIS, which uses /var/log/sudo.log.
 
-interactive: false
+interactive: true
 
 type: string