207 lines
6.9 KiB
Diff
207 lines
6.9 KiB
Diff
From 5d3bcea7c2927f449fbd82074a62425bad89e605 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Sun, 30 May 2021 19:16:11 +0100
|
|
Subject: [PATCH 1/5] Add sudo custom logfile control for RHEL 8 CIS
|
|
|
|
---
|
|
.../sudo/sudo_custom_logfile/rule.yml | 20 +++++++++++++++++++
|
|
.../system/software/sudo/var_sudo_logfile.var | 16 +++++++++++++++
|
|
rhel8/profiles/cis.profile | 2 +-
|
|
3 files changed, 37 insertions(+), 1 deletion(-)
|
|
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
create mode 100644 linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
new file mode 100644
|
|
index 00000000000..5571c92a679
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
@@ -0,0 +1,20 @@
|
|
+documentation_complete: true
|
|
+
|
|
+title: 'Ensure Sudo Logfile Exists - sudo logfile'
|
|
+
|
|
+description: |-
|
|
+ A custom logfile can be configured for sudo with the logfile tag.
|
|
+
|
|
+rationale: |-
|
|
+ A sudo log file simplifies auditing of sudo commands.
|
|
+
|
|
+severity: medium
|
|
+
|
|
+identifiers:
|
|
+ cis@rhel8: 1.3.3
|
|
+
|
|
+template:
|
|
+ name: sudo_defaults_option
|
|
+ vars:
|
|
+ option: logfile
|
|
+ variable_name: var_sudo_logfile
|
|
diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
|
new file mode 100644
|
|
index 00000000000..65b23b5f3c2
|
|
--- /dev/null
|
|
+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
|
@@ -0,0 +1,16 @@
|
|
+documentation_complete: true
|
|
+
|
|
+title: 'Sudo - logfile value'
|
|
+
|
|
+description: |-
|
|
+ Specify the sudo logfile to use. The default value used here matches the example
|
|
+ location from CIS, which uses /var/log/sudo.log.
|
|
+
|
|
+interactive: false
|
|
+
|
|
+type: string
|
|
+
|
|
+operator: equals
|
|
+
|
|
+options:
|
|
+ default: "/var/log/sudo.log"
|
|
diff --git a/rhel8/profiles/cis.profile b/rhel8/profiles/cis.profile
|
|
index ec9cbfa0a3d..411083d6e71 100644
|
|
--- a/rhel8/profiles/cis.profile
|
|
+++ b/rhel8/profiles/cis.profile
|
|
@@ -132,7 +132,7 @@ selections:
|
|
# NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5220
|
|
|
|
### 1.3.3 Ensure sudo log file exists (Scored)
|
|
- # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5221
|
|
+ - sudo_custom_logfile
|
|
|
|
## 1.4 Filesystem Integrity Checking
|
|
|
|
|
|
From da0883992ba7e712f805b86e5b7c96162aed93ec Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Sun, 30 May 2021 20:46:58 +0100
|
|
Subject: [PATCH 2/5] Update rule with OCIL parameters
|
|
|
|
---
|
|
.../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++-
|
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
index 5571c92a679..de0ecb98a76 100644
|
|
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
@@ -8,11 +8,18 @@ description: |-
|
|
rationale: |-
|
|
A sudo log file simplifies auditing of sudo commands.
|
|
|
|
-severity: medium
|
|
+severity: low
|
|
|
|
identifiers:
|
|
cis@rhel8: 1.3.3
|
|
|
|
+ocil_clause: 'logfile is not enabled in sudo'
|
|
+
|
|
+ocil: |-
|
|
+ To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
|
|
+ <pre>$ sudo grep -ri "^[\s]*Defaults.*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
|
|
+ The command should return a matching output.
|
|
+
|
|
template:
|
|
name: sudo_defaults_option
|
|
vars:
|
|
|
|
From 2b6721b3e3858d75f27d7ad8395a79a1ce68bc73 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Mon, 31 May 2021 11:44:13 +0100
|
|
Subject: [PATCH 3/5] Use references field for CIS rather than identifiers
|
|
|
|
---
|
|
.../guide/system/software/sudo/sudo_custom_logfile/rule.yml | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
index de0ecb98a76..afce7f1867c 100644
|
|
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
@@ -10,7 +10,7 @@ rationale: |-
|
|
|
|
severity: low
|
|
|
|
-identifiers:
|
|
+references:
|
|
cis@rhel8: 1.3.3
|
|
|
|
ocil_clause: 'logfile is not enabled in sudo'
|
|
|
|
From ee4ed67f0f9e246b20098d60efed7e20bc7b7a13 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Tue, 1 Jun 2021 11:28:08 +0100
|
|
Subject: [PATCH 4/5] Add missing CCE identifiers to sudo logfile rule
|
|
|
|
---
|
|
.../system/software/sudo/sudo_custom_logfile/rule.yml | 9 ++++++++-
|
|
shared/references/cce-redhat-avail.txt | 2 --
|
|
2 files changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
index afce7f1867c..d08b7891293 100644
|
|
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/rule.yml
|
|
@@ -3,14 +3,21 @@ documentation_complete: true
|
|
title: 'Ensure Sudo Logfile Exists - sudo logfile'
|
|
|
|
description: |-
|
|
- A custom logfile can be configured for sudo with the logfile tag.
|
|
+ A custom log sudo file can be configured with the 'logfile' tag. This rule configures
|
|
+ a sudo custom logfile at the default location suggested by CIS, which uses
|
|
+ /var/log/sudo.log.
|
|
|
|
rationale: |-
|
|
A sudo log file simplifies auditing of sudo commands.
|
|
|
|
severity: low
|
|
|
|
+identifiers:
|
|
+ cce@rhel7: CCE-83600-7
|
|
+ cce@rhel8: CCE-83601-5
|
|
+
|
|
references:
|
|
+ cis@rhel7: 5.2.3
|
|
cis@rhel8: 1.3.3
|
|
|
|
ocil_clause: 'logfile is not enabled in sudo'
|
|
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
index ae54d0ee0b2..e74b6779509 100644
|
|
--- a/shared/references/cce-redhat-avail.txt
|
|
+++ b/shared/references/cce-redhat-avail.txt
|
|
@@ -94,8 +94,6 @@ CCE-83594-2
|
|
CCE-83595-9
|
|
CCE-83596-7
|
|
CCE-83599-1
|
|
-CCE-83600-7
|
|
-CCE-83601-5
|
|
CCE-83606-4
|
|
CCE-83608-0
|
|
CCE-83609-8
|
|
|
|
From 298533e0e7360752737b24deb07903c04b33bc21 Mon Sep 17 00:00:00 2001
|
|
From: Alex Haydock <alex@alexhaydock.co.uk>
|
|
Date: Tue, 1 Jun 2021 16:19:45 +0100
|
|
Subject: [PATCH 5/5] Allow users to override sudo logfile location with
|
|
tailoring
|
|
|
|
---
|
|
linux_os/guide/system/software/sudo/var_sudo_logfile.var | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/linux_os/guide/system/software/sudo/var_sudo_logfile.var b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
|
index 65b23b5f3c2..7c5d02d37eb 100644
|
|
--- a/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
|
+++ b/linux_os/guide/system/software/sudo/var_sudo_logfile.var
|
|
@@ -6,7 +6,7 @@ description: |-
|
|
Specify the sudo logfile to use. The default value used here matches the example
|
|
location from CIS, which uses /var/log/sudo.log.
|
|
|
|
-interactive: false
|
|
+interactive: true
|
|
|
|
type: string
|
|
|