197 lines
9.2 KiB
Diff
197 lines
9.2 KiB
Diff
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
|
index 851993512..515a4a172 100644
|
|
--- a/controls/anssi.yml
|
|
+++ b/controls/anssi.yml
|
|
@@ -850,7 +850,8 @@ controls:
|
|
- id: R63
|
|
level: intermediary
|
|
title: Explicit arguments in sudo specifications
|
|
- # rules: TBD
|
|
+ rules:
|
|
+ - sudoers_explicit_command_args
|
|
|
|
- id: R64
|
|
level: intermediary
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
|
|
new file mode 100644
|
|
index 000000000..94a0cb421
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/oval/shared.xml
|
|
@@ -0,0 +1,25 @@
|
|
+<def-group>
|
|
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
|
|
+ {{{ oval_metadata("Check that sudoers doesn't contain commands without arguments specified") }}}
|
|
+ <criteria operator="AND">
|
|
+ <criterion comment="Make sure that no commands are without arguments" test_ref="test_{{{ rule_id }}}" />
|
|
+ </criteria>
|
|
+ </definition>
|
|
+
|
|
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
|
|
+ comment="Make sure that no command in user spec is without any argument"
|
|
+ id="test_{{{ rule_id }}}" version="1">
|
|
+ <ind:object object_ref="object_{{{ rule_id }}}" />
|
|
+ </ind:textfilecontent54_test>
|
|
+
|
|
+ <ind:textfilecontent54_object id="object_{{{ rule_id }}}" version="1">
|
|
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
|
+ <!-- The regex idea: <user list> <host list> = (<the whole command with at least an arg>,)* <command with no arg> <end of the line or next command spec we don't care about>
|
|
+ where a command is <runas spec>?<anything except ,>+,
|
|
+ - ',' is a command delimiter, while
|
|
+ The last capturing group holds the offending command without args.
|
|
+ -->
|
|
+ <ind:pattern operation="pattern match">^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))</ind:pattern>
|
|
+ <ind:instance datatype="int">1</ind:instance>
|
|
+ </ind:textfilecontent54_object>
|
|
+</def-group>
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
|
|
new file mode 100644
|
|
index 000000000..a0590c8b0
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml
|
|
@@ -0,0 +1,46 @@
|
|
+documentation_complete: true
|
|
+
|
|
+title: "Explicit arguments in sudo specifications"
|
|
+
|
|
+description: |-
|
|
+ All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.
|
|
+ If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.
|
|
+
|
|
+rationale: |-
|
|
+ Any argument can modify quite significantly the behavior of a program, whether regarding the
|
|
+ realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To
|
|
+ avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the
|
|
+ level of its specification.
|
|
+
|
|
+ For example, on some systems, the kernel messages are only accessible by root.
|
|
+ If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted
|
|
+ in order to prevent the user from flushing the buffer through the -c option:
|
|
+ <pre>
|
|
+ user ALL = dmesg ""
|
|
+ </pre>
|
|
+
|
|
+severity: medium
|
|
+
|
|
+identifiers:
|
|
+ cce@rhel7: CCE-83631-2
|
|
+ cce@rhel8: CCE-83632-0
|
|
+
|
|
+references:
|
|
+ anssi: BP28(R63)
|
|
+
|
|
+ocil_clause: '/etc/sudoers file contains user specifications that allow execution of commands with any arguments'
|
|
+
|
|
+ocil: |-
|
|
+ To determine if arguments that commands can be executed with are restricted, run the following command:
|
|
+ <pre>$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/</pre>
|
|
+ The command should return no output.
|
|
+
|
|
+platform: sudo
|
|
+
|
|
+warnings:
|
|
+ - general:
|
|
+ This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.
|
|
+
|
|
+ - general:
|
|
+ The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that.
|
|
+ For example, <code>root ALL=(ALL) echo 1\,2</code> allows root to execute <code>echo 1,2</code>, but the check would interpret it as two commands <code>echo 1\</code> and <code>2</code>.
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
|
|
new file mode 100644
|
|
index 000000000..b0d05b2a5
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/commented.pass.sh
|
|
@@ -0,0 +1,5 @@
|
|
+# platform = multi_platform_all
|
|
+# packages = sudo
|
|
+
|
|
+echo '#jen,!fred ALL, !SERVERS = !/bin/sh' > /etc/sudoers
|
|
+echo '# somebody ALL=/bin/ls, (!bob,alice) !/bin/cat, /bin/dog' > /etc/sudoers.d/foo
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
|
|
new file mode 100644
|
|
index 000000000..c6f885f9f
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-1.fail.sh
|
|
@@ -0,0 +1,5 @@
|
|
+# platform = multi_platform_all
|
|
+# packages = sudo
|
|
+# remediation = none
|
|
+
|
|
+echo 'somebody ALL=/bin/ls, (!bob,alice) /bin/cat arg, /bin/dog' > /etc/sudoers
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
|
|
new file mode 100644
|
|
index 000000000..fce851f55
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/complex-2.fail.sh
|
|
@@ -0,0 +1,5 @@
|
|
+# platform = multi_platform_all
|
|
+# packages = sudo
|
|
+# remediation = none
|
|
+
|
|
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog, /bin/cat arg' > /etc/sudoers
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
|
|
new file mode 100644
|
|
index 000000000..baf66468d
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/false_positive.fail.sh
|
|
@@ -0,0 +1,9 @@
|
|
+# platform = multi_platform_all
|
|
+# remediation = none
|
|
+# packages = sudo
|
|
+
|
|
+# The val1\,val2 is the first argument of the /bin/dog command that contains a comma.
|
|
+# Our check tends to interpret the comma as commad delimiter, so the dog arg is val1\
|
|
+# and val2 is another command in the user spec.
|
|
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog val1\,val2, /bin/cat ""' > /etc/sudoers
|
|
+
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
|
|
new file mode 100644
|
|
index 000000000..9a04a205a
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.fail.sh
|
|
@@ -0,0 +1,5 @@
|
|
+# platform = multi_platform_all
|
|
+# packages = sudo
|
|
+# remediation = none
|
|
+
|
|
+echo 'jen,!fred ALL,SERVERS = /bin/sh ' > /etc/sudoers
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
|
|
new file mode 100644
|
|
index 000000000..4a3a7c94b
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/simple.pass.sh
|
|
@@ -0,0 +1,6 @@
|
|
+# platform = multi_platform_all
|
|
+# packages = sudo
|
|
+
|
|
+echo 'nobody ALL=/bin/ls "", (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
|
|
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
|
|
+echo 'nobody ALL=/bin/ls arg arg, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
|
|
new file mode 100644
|
|
index 000000000..9643a3337
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/tests/sudoers_d.fail.sh
|
|
@@ -0,0 +1,9 @@
|
|
+# platform = multi_platform_all
|
|
+# packages = sudo
|
|
+# remediation = none
|
|
+
|
|
+echo 'nobody ALL=/bin/ls, (!bob,alice) /bin/dog arg, /bin/cat ""' > /etc/sudoers
|
|
+echo 'jen,!fred ALL,!SERVERS = /bin/sh arg' >> /etc/sudoers
|
|
+echo 'nobody ALL=/bin/ls, (bob,!alice) /bin/dog arg, /bin/cat arg' > /etc/sudoers.d/foo
|
|
+
|
|
+echo 'user ALL = ALL' > /etc/sudoers.d/bar
|
|
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
index 4dbec8255..94a116b59 100644
|
|
--- a/shared/references/cce-redhat-avail.txt
|
|
+++ b/shared/references/cce-redhat-avail.txt
|
|
@@ -140,8 +140,6 @@ CCE-83626-2
|
|
CCE-83627-0
|
|
CCE-83628-8
|
|
CCE-83629-6
|
|
-CCE-83631-2
|
|
-CCE-83632-0
|
|
CCE-83633-8
|
|
CCE-83634-6
|
|
CCE-83635-3
|