scap-security-guide/SOURCES/scap-security-guide-0.1.61-sudoers_timestamp_timeout-PR_8220.patch
2022-03-01 10:14:31 +00:00

164 lines
7.9 KiB
Diff

From 573ae69742cf372d41da6c56a3051745326055cd Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Mon, 14 Feb 2022 15:54:37 +0100
Subject: [PATCH] Update RHEL-08-010385 to allow only one occurrence of config.
This configuration must appear at only one place so it doesn't get
overriden by a different file that can loaded on a different order and
the intended configuration is replaced by non-compliant value.
---
.../ansible/shared.yml | 36 ++++++++++++++++++
.../bash/shared.sh | 38 +++++++++++++++++++
.../oval/shared.xml | 4 +-
.../sudo_require_reauthentication/rule.yml | 14 +------
.../tests/multiple_correct_value.fail.sh | 10 +++++
5 files changed, 87 insertions(+), 15 deletions(-)
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
new file mode 100644
index 00000000000..b0c67a69af9
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
@@ -0,0 +1,36 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}}
+- name: "Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to be deduplicated"
+ find:
+ path: "/etc/sudoers.d"
+ patterns: "*"
+ contains: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
+ register: sudoers_d_defaults_timestamp_timeout
+
+- name: "Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files"
+ lineinfile:
+ path: "{{ item.path }}"
+ regexp: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
+ state: absent
+ with_items: "{{ sudoers_d_defaults_timestamp_timeout.files }}"
+
+- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers
+ lineinfile:
+ path: /etc/sudoers
+ regexp: '^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$'
+ line: 'Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2'
+ validate: /usr/sbin/visudo -cf %s
+ backrefs: yes
+ register: edit_sudoers_timestamp_timeout_option
+
+- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers
+ lineinfile: # noqa 503
+ path: /etc/sudoers
+ line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}'
+ validate: /usr/sbin/visudo -cf %s
+ when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
new file mode 100644
index 00000000000..0b623ed4a49
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
@@ -0,0 +1,38 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+
+{{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}}
+
+if grep -x '^[\s]*Defaults.*\btimestamp_timeout=.*' /etc/sudoers.d/*; then
+ find /etc/sudoers.d/ -type f -exec sed -i "/^[\s]*Defaults.*\btimestamp_timeout=.*/d" {} \;
+fi
+
+if /usr/sbin/visudo -qcf /etc/sudoers; then
+ cp /etc/sudoers /etc/sudoers.bak
+ if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then
+ # sudoers file doesn't define Option timestamp_timeout
+ echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
+ else
+ # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
+ if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then
+
+ sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
+ fi
+ fi
+
+ # Check validity of sudoers and cleanup bak
+ if /usr/sbin/visudo -qcf /etc/sudoers; then
+ rm -f /etc/sudoers.bak
+ else
+ echo "Fail to validate remediated /etc/sudoers, reverting to original file."
+ mv /etc/sudoers.bak /etc/sudoers
+ false
+ fi
+else
+ echo "Skipping remediation, /etc/sudoers failed to validate"
+ false
+fi
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
index 8f404ca6065..dfc319b6f1f 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
@@ -6,13 +6,13 @@
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
<ind:object object_ref="obj_sudo_timestamp_timeout"/>
<ind:state state_ref="state_sudo_timestamp_timeout" />
</ind:textfilecontent54_test>
<ind:textfilecontent54_object id="obj_sudo_timestamp_timeout" version="1">
- <ind:filepath>/etc/sudoers</ind:filepath>
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
<ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout=([-]?[\d]+)$</ind:pattern>
<ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
</ind:textfilecontent54_object>
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
index 42c6e28f9e6..eebb96678f1 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
@@ -50,16 +50,4 @@ ocil: |-
<pre>sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d</pre>
The output should be:
<pre>/etc/sudoers:Defaults timestamp_timeout=0</pre> or "timestamp_timeout" is set to a positive number.
-
-template:
- name: sudo_defaults_option
- vars:
- option: timestamp_timeout
- variable_name: "var_sudo_timestamp_timeout"
- # optional minus char added so remediation can detect properly if item is already configured
- option_regex_suffix: '=[-]?\w+\b'
- backends:
- # Template is not able to accomodate this particular check.
- # It needs to check for an integer greater than or equal to zero
- oval: "off"
-
+ If results are returned from more than one file location, this is a finding.
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
new file mode 100644
index 00000000000..a258d6632b5
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+ sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers
+else
+ echo "Defaults timestamp_timeout=3" >> /etc/sudoers
+fi
+
+echo "Defaults timestamp_timeout=3" > /etc/sudoers.d/00-complianceascode-test.conf