From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 2 Aug 2022 15:57:52 +0200 Subject: [PATCH 1/2] Accept sudoers files without includes as compliant Update rule sudoers_default_includedir to accept as compliant sudoers files that don't have any #include or #includedir directive --- .../oval/shared.xml | 24 +++++++++++++++---- .../sudo/sudoers_default_includedir/rule.yml | 8 ++++--- ...cludedir.fail.sh => no_includedir.pass.sh} | 2 +- 3 files changed, 26 insertions(+), 8 deletions(-) rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%) diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml index 59cab0b89de..629fbe8c6d2 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml @@ -1,10 +1,16 @@ {{{ oval_metadata("Check if sudo includes only the default includedir") }}} - - - - + + + + + + + + + + @@ -32,6 +38,16 @@ 1 + + + + + /etc/sudoers + ^#includedir[\s]+.*$ + 1 + + diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml index aa2aaee19f8..83bfb0183bd 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml @@ -8,9 +8,11 @@ description: |- Administrators can configure authorized sudo users via drop-in files, and it is possible to include other directories and configuration files from the file currently being parsed. - Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d. - The /etc/sudoers should contain only one #includedir directive pointing to - /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories. + Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, + or that no drop-in file is included. + Either the /etc/sudoers should contain only one #includedir directive pointing to + /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; + Or the /etc/sudoers should not contain any #include or #includedir directives. Note that the '#' character doesn't denote a comment in the configuration file. rationale: |- diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh similarity index 51% rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh index 1e0ab8aea92..fe73cb25076 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash # platform = multi_platform_all -sed -i "/#includedir.*/d" /etc/sudoers +sed -i "/#include(dir)?.*/d" /etc/sudoers From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Wed, 3 Aug 2022 12:01:12 +0200 Subject: [PATCH 2/2] Improve definition's comments --- .../software/sudo/sudoers_default_includedir/oval/shared.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml index 629fbe8c6d2..82095acc6ed 100644 --- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml +++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml @@ -8,8 +8,8 @@ - - + +