190 lines
11 KiB
Diff
190 lines
11 KiB
Diff
From 133d331a04e1ba27324291006c65c2bfa467e49d Mon Sep 17 00:00:00 2001
|
|
From: Gabriel Becker <ggasparb@redhat.com>
|
|
Date: Tue, 1 Feb 2022 16:54:16 +0100
|
|
Subject: [PATCH 1/2] Update RHEL-08-010383 to require only one occurrence of a
|
|
config.
|
|
|
|
The V1R5 release of RHEL8 STIG requires that the configuration should be
|
|
present only in one configuration file to prevent any ordering problem
|
|
when the modules loads the configuration using drop-in files that use
|
|
the lexicographically order of file names.
|
|
---
|
|
.../sudo/sudoers_validate_passwd/ansible/shared.yml | 6 +++---
|
|
.../sudo/sudoers_validate_passwd/oval/shared.xml | 12 ++++++------
|
|
.../software/sudo/sudoers_validate_passwd/rule.yml | 3 ++-
|
|
.../tests/sudoers_validate_passwd_duplicates.fail.sh | 7 +++++++
|
|
4 files changed, 18 insertions(+), 10 deletions(-)
|
|
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
|
index 08ffd76aed6..19673634fb3 100644
|
|
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
|
@@ -4,6 +4,6 @@
|
|
# complexity = low
|
|
# disruption = low
|
|
|
|
-{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}}
|
|
-{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}}
|
|
-{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}}
|
|
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
|
|
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
|
|
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
index 646e6bfb7c0..b3fadd53bee 100644
|
|
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
@@ -8,17 +8,17 @@
|
|
</criteria>
|
|
</definition>
|
|
|
|
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
|
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
|
id="test_sudoers_targetpw_config" version="1">
|
|
<ind:object object_ref="object_test_sudoers_targetpw_config" />
|
|
</ind:textfilecontent54_test>
|
|
|
|
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
|
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
|
id="test_sudoers_rootpw_config" version="1">
|
|
<ind:object object_ref="object_test_sudoers_rootpw_config" />
|
|
</ind:textfilecontent54_test>
|
|
|
|
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
|
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
|
|
id="test_sudoers_runaspw_config" version="1">
|
|
<ind:object object_ref="object_test_sudoers_runaspw_config" />
|
|
</ind:textfilecontent54_test>
|
|
@@ -26,19 +26,19 @@
|
|
<ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
|
|
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
|
<ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
|
|
- <ind:instance datatype="int">1</ind:instance>
|
|
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
<ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
|
|
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
|
<ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
|
|
- <ind:instance datatype="int">1</ind:instance>
|
|
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
<ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
|
|
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
|
<ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
|
|
- <ind:instance datatype="int">1</ind:instance>
|
|
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
</ind:textfilecontent54_object>
|
|
|
|
</def-group>
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
index ccc29b77d15..698021d8fd0 100644
|
|
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
@@ -42,7 +42,8 @@ ocil_clause: 'invoke user passwd when using sudo'
|
|
ocil: |-
|
|
Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
|
|
<pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
|
|
- If no results are returned, this is a finding
|
|
+ If no results are returned, this is a finding.
|
|
+ If results are returned from more than one file location, this is a finding.
|
|
If "Defaults !targetpw" is not defined, this is a finding.
|
|
If "Defaults !rootpw" is not defined, this is a finding.
|
|
If "Defaults !runaspw" is not defined, this is a finding.
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
|
|
new file mode 100644
|
|
index 00000000000..6247b5230e4
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
|
|
@@ -0,0 +1,7 @@
|
|
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
|
|
+# packages = sudo
|
|
+
|
|
+echo 'Defaults !targetpw' >> /etc/sudoers
|
|
+echo 'Defaults !rootpw' >> /etc/sudoers
|
|
+echo 'Defaults !runaspw' >> /etc/sudoers
|
|
+echo 'Defaults !runaspw' >> /etc/sudoers
|
|
|
|
From 315b248c77252fc3145cdf34fede98b1a32a7c04 Mon Sep 17 00:00:00 2001
|
|
From: Gabriel Becker <ggasparb@redhat.com>
|
|
Date: Wed, 9 Feb 2022 15:24:23 +0100
|
|
Subject: [PATCH 2/2] Update remediations of sudoers_validate_passwd to remove
|
|
duplicates.
|
|
|
|
---
|
|
.../ansible/shared.yml | 20 +++++++++++++++++++
|
|
.../sudoers_validate_passwd/bash/shared.sh | 12 +++++++++++
|
|
.../tests/sudoers_d_duplicate.fail.sh | 9 +++++++++
|
|
3 files changed, 41 insertions(+)
|
|
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
|
index 19673634fb3..399ca1ea3ce 100644
|
|
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
|
@@ -4,6 +4,26 @@
|
|
# complexity = low
|
|
# disruption = low
|
|
|
|
+{{%- macro delete_line_in_sudoers_d(line) %}}
|
|
+- name: "Find out if /etc/sudoers.d/* files contain {{{ line }}} to be deduplicated"
|
|
+ find:
|
|
+ path: "/etc/sudoers.d"
|
|
+ patterns: "*"
|
|
+ contains: '^{{{ line }}}$'
|
|
+ register: sudoers_d_defaults
|
|
+
|
|
+- name: "Remove found occurrences of {{{ line }}} from /etc/sudoers.d/* files"
|
|
+ lineinfile:
|
|
+ path: "{{ item.path }}"
|
|
+ regexp: "^{{{ line }}}$"
|
|
+ state: absent
|
|
+ with_items: "{{ sudoers_d_defaults.files }}"
|
|
+{{%- endmacro %}}
|
|
+
|
|
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
|
|
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
|
|
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
|
|
+
|
|
{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
|
|
{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
|
|
{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
|
index ea0ac67fa1c..3b327f3fc88 100644
|
|
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
|
@@ -1,5 +1,17 @@
|
|
# platform = multi_platform_all
|
|
|
|
+{{%- macro delete_line_in_sudoers_d(line) %}}
|
|
+if grep -x '^{{{line}}}$' /etc/sudoers.d/*; then
|
|
+ find /etc/sudoers.d/ -type f -exec sed -i "/{{{line}}}/d" {} \;
|
|
+fi
|
|
+{{%- endmacro %}}
|
|
+
|
|
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
|
|
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
|
|
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
|
|
+
|
|
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
|
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
|
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
|
+
|
|
+
|
|
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
|
|
new file mode 100644
|
|
index 00000000000..a258d108a00
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
|
|
@@ -0,0 +1,9 @@
|
|
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
|
|
+# packages = sudo
|
|
+
|
|
+echo 'Defaults !targetpw' >> /etc/sudoers
|
|
+echo 'Defaults !rootpw' >> /etc/sudoers
|
|
+echo 'Defaults !runaspw' >> /etc/sudoers
|
|
+echo 'Defaults !targetpw' >> /etc/sudoers.d/00-complianceascode.conf
|
|
+echo 'Defaults !rootpw' >> /etc/sudoers.d/00-complianceascode.conf
|
|
+echo 'Defaults !runaspw' >> /etc/sudoers.d/00-complianceascode.conf
|