scap-security-guide/SOURCES/scap-security-guide-0.1.57-add_rule_sudo_add_passwd_timeout-PR_6984.patch

From d97cd9112ba9f3958e6658775a8a31e44bd0f0e9 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 5 Jan 2021 18:03:24 +0100
Subject: [PATCH] Add rule sudo_add_passwd_timeout

This rule configures sudo password prompt timeout.
---
 controls/anssi.yml                            |  3 +-
 .../sudo/sudo_add_passwd_timeout/rule.yml     | 40 +++++++++++++++++++
 .../software/sudo/var_sudo_passwd_timeout.var | 21 ++++++++++
 shared/references/cce-redhat-avail.txt        |  2 -
 4 files changed, 63 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
 create mode 100644 linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var

diff --git a/controls/anssi.yml b/controls/anssi.yml
index 705f8e25aab..5120456230b 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -892,7 +892,8 @@ controls:
     - var_sudo_umask=0027
     - sudo_add_ignore_dot
     - sudo_add_env_reset
-    # passwd_timeout=1
+    - sudo_add_passwd_timeout
+    - var_sudo_passwd_timeout=1_minute
 
   - id: R59
     level: minimal
diff --git a/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
new file mode 100644
index 00000000000..ae3399527f4
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+prodtype: ol7,ol8,rhel7,rhel8
+
+title: 'Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout'
+
+description: |-
+    The sudo <tt>passwd_timeout</tt> tag sets the amount of time sudo password prompt waits.
+{{%- if product in ["rhel7", "rhel8"] %}}
+    On {{{ full_name }}}, the default <tt>passwd_timeout</tt> value is 5 minutes.
+{{% endif %}}
+    The passwd_timeout should be configured by making sure that the
+    <tt>passwd_timeout=sub_var_value("var_sudo_passwd_timeout")</tt> tag exists in
+    <tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
+    in <tt>/etc/sudoers.d/</tt>.
+
+rationale: |-
+    Reducing the time <tt>sudo</tt> waits for a a password reduces the time the process is exposed.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-83963-9
+    cce@rhel8: CCE-83964-7
+
+references:
+    anssi: BP28(R58)
+
+ocil_clause: 'passwd_timeout is not set with the appropriate value for sudo'
+
+ocil: |-
+    To determine if <tt>passwd_timeout</tt> has been configured for sudo, run the following command:
+    <pre>$ sudo grep -ri '^Defaults.*passwd_timeout=sub_var_value("var_sudo_passwd_timeout")' /etc/sudoers /etc/sudoers.d/</pre>
+    The command should return a matching output.
+
+template:
+    name: sudo_defaults_option
+    vars:
+        option: passwd_timeout
+        variable_name: "var_sudo_passwd_timeout"
diff --git a/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
new file mode 100644
index 00000000000..4a9dcd5bb7b
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
@@ -0,0 +1,21 @@
+documentation_complete: true
+
+title: 'Sudo - passwd_timeout value'
+
+description: |-
+    Defines the number of minutes before the <tt>sudo</tt> password prompt times out.
+    Defining 0 means no timeout. The default timeout value is 5 minutes.
+
+interactive: false
+
+type: string
+
+operator: equals
+
+options:
+    default: "5"
+    infinite: "0"
+    1_minute: "1"
+    2_minutes: "2"
+    3_minutes: "3"
+    5_minutes: "5"
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 61391f50c2d..e095e405f66 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -349,8 +349,6 @@ CCE-83959-7
 CCE-83960-5
 CCE-83961-3
 CCE-83962-1
-CCE-83963-9
-CCE-83964-7
 CCE-83965-4
 CCE-83966-2
 CCE-83967-0