|
 |
fe0dde |
From d60c5a0b861625bc1184b0ed3951e9d46fc1e256 Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Fri, 4 Sep 2020 15:21:42 +0200
|
|
|
fe0dde |
Subject: [PATCH 1/3] Add ansible remediation for sudo_remove_nopasswd.
|
|
|
fe0dde |
|
|
|
fe0dde |
Add test scenarios for sudo_remove_nopasswd.
|
|
|
fe0dde |
---
|
|
|
fe0dde |
.../sudo_remove_nopasswd/ansible/shared.yml | 21 +++++++++++++++++++
|
|
|
fe0dde |
.../tests/correct_value.pass.sh | 6 ++++++
|
|
|
fe0dde |
.../tests/wrong_value.fail.sh | 9 ++++++++
|
|
|
fe0dde |
3 files changed, 36 insertions(+)
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..ba0f9e78a6
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
|
|
|
fe0dde |
@@ -0,0 +1,21 @@
|
|
|
fe0dde |
+# platform = multi_platform_all
|
|
|
fe0dde |
+# reboot = false
|
|
|
fe0dde |
+# strategy = restrict
|
|
|
fe0dde |
+# complexity = low
|
|
|
fe0dde |
+# disruption = low
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+- name: Find /etc/sudoers.d/ files
|
|
|
fe0dde |
+ find:
|
|
|
fe0dde |
+ paths:
|
|
|
fe0dde |
+ - /etc/sudoers.d/
|
|
|
fe0dde |
+ register: sudoers
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+- name: "Remove lines containing NOPASSWD from sudoers files"
|
|
|
fe0dde |
+ replace:
|
|
|
fe0dde |
+ regexp: '(^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)'
|
|
|
fe0dde |
+ replace: '# \g<1>'
|
|
|
fe0dde |
+ path: "{{ item.path }}"
|
|
|
fe0dde |
+ validate: /usr/sbin/visudo -cf %s
|
|
|
fe0dde |
+ with_items:
|
|
|
fe0dde |
+ - { path: /etc/sudoers }
|
|
|
fe0dde |
+ - "{{ sudoers.files }}"
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..3a94382235
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh
|
|
|
fe0dde |
@@ -0,0 +1,6 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+rm -f /etc/sudoers
|
|
|
fe0dde |
+echo "%wheel ALL=(ALL) ALL" > /etc/sudoers
|
|
|
fe0dde |
+chmod 440 /etc/sudoers
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..5b2eecd3be
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh
|
|
|
fe0dde |
@@ -0,0 +1,9 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
|
|
|
fe0dde |
+chmod 440 /etc/sudoers
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+mkdir /etc/sudoers.d/
|
|
|
fe0dde |
+echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers.d/sudoers
|
|
|
fe0dde |
+chmod 440 /etc/sudoers.d/sudoers
|
|
|
fe0dde |
|
|
|
fe0dde |
From af0f8b73f84a1bd14a69295a04dd6520c56930ba Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Mon, 7 Sep 2020 16:25:40 +0200
|
|
|
fe0dde |
Subject: [PATCH 2/3] Add bash remediation for sudo_remove_nopasswd.
|
|
|
fe0dde |
|
|
|
fe0dde |
---
|
|
|
fe0dde |
.../sudo/sudo_remove_nopasswd/bash/shared.sh | 17 +++++++++++++++++
|
|
|
fe0dde |
1 file changed, 17 insertions(+)
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..8c2f2f8240
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
|
|
|
fe0dde |
@@ -0,0 +1,17 @@
|
|
|
fe0dde |
+# platform = multi_platform_all
|
|
|
fe0dde |
+# reboot = false
|
|
|
fe0dde |
+# strategy = restrict
|
|
|
fe0dde |
+# complexity = low
|
|
|
fe0dde |
+# disruption = low
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
|
|
|
fe0dde |
+ nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
|
|
|
fe0dde |
+ if ! test -z "$nopasswd_list"; then
|
|
|
fe0dde |
+ while IFS= read -r nopasswd_entry; do
|
|
|
fe0dde |
+ # comment out "NOPASSWD:" matches to preserve user data
|
|
|
fe0dde |
+ sed -i "s/^${nopasswd_entry}$/# &/g" $f
|
|
|
fe0dde |
+ done <<< "$nopasswd_list"
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+ /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
|
|
|
fe0dde |
+ fi
|
|
|
fe0dde |
+done
|
|
|
fe0dde |
|
|
|
fe0dde |
From e6ebab404aa415e7308f112e2ac99e8ccd821aff Mon Sep 17 00:00:00 2001
|
|
|
fe0dde |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
fe0dde |
Date: Mon, 7 Sep 2020 17:53:53 +0200
|
|
|
fe0dde |
Subject: [PATCH 3/3] Create bash and ansible macro for sudo related rules.
|
|
|
fe0dde |
|
|
|
fe0dde |
---
|
|
|
fe0dde |
.../ansible/shared.yml | 7 +++++++
|
|
|
fe0dde |
.../bash/shared.sh | 7 +++++++
|
|
|
fe0dde |
.../tests/correct_value.pass.sh | 6 ++++++
|
|
|
fe0dde |
.../tests/wrong_value.fail.sh | 9 +++++++++
|
|
|
fe0dde |
.../sudo_remove_nopasswd/ansible/shared.yml | 16 +---------------
|
|
|
fe0dde |
.../sudo/sudo_remove_nopasswd/bash/shared.sh | 12 +-----------
|
|
|
fe0dde |
.../ansible/shared.yml | 9 +++++++++
|
|
|
fe0dde |
.../bash/shared.sh | 9 +++++++++
|
|
|
fe0dde |
.../tests/correct_value.pass.sh | 7 +++++++
|
|
|
fe0dde |
.../tests/wrong_value.fail.sh | 11 +++++++++++
|
|
|
fe0dde |
shared/macros-ansible.jinja | 19 +++++++++++++++++++
|
|
|
fe0dde |
shared/macros-bash.jinja | 14 ++++++++++++++
|
|
|
fe0dde |
12 files changed, 100 insertions(+), 26 deletions(-)
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/ansible/shared.yml
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/bash/shared.sh
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
|
|
|
fe0dde |
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
|
|
|
fe0dde |
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..692f86a2df
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh
|
|
|
fe0dde |
@@ -0,0 +1,6 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+rm -f /etc/sudoers
|
|
|
fe0dde |
+echo "Defaults authenticate" > /etc/sudoers
|
|
|
fe0dde |
+chmod 440 /etc/sudoers
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..2de9538865
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh
|
|
|
fe0dde |
@@ -0,0 +1,9 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+# profiles = xccdf_org.ssgproject.content_profile_stig
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+echo "Defaults !authenticate" >> /etc/sudoers
|
|
|
fe0dde |
+chmod 440 /etc/sudoers
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+mkdir /etc/sudoers.d/
|
|
|
fe0dde |
+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
|
|
|
fe0dde |
+chmod 440 /etc/sudoers.d/sudoers
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
|
|
|
fe0dde |
index ba0f9e78a6..37937aeda7 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
|
|
|
fe0dde |
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml
|
|
|
fe0dde |
@@ -4,18 +4,4 @@
|
|
|
fe0dde |
# complexity = low
|
|
|
fe0dde |
# disruption = low
|
|
|
fe0dde |
|
|
|
fe0dde |
-- name: Find /etc/sudoers.d/ files
|
|
|
fe0dde |
- find:
|
|
|
fe0dde |
- paths:
|
|
|
fe0dde |
- - /etc/sudoers.d/
|
|
|
fe0dde |
- register: sudoers
|
|
|
fe0dde |
-
|
|
|
fe0dde |
-- name: "Remove lines containing NOPASSWD from sudoers files"
|
|
|
fe0dde |
- replace:
|
|
|
fe0dde |
- regexp: '(^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)'
|
|
|
fe0dde |
- replace: '# \g<1>'
|
|
|
fe0dde |
- path: "{{ item.path }}"
|
|
|
fe0dde |
- validate: /usr/sbin/visudo -cf %s
|
|
|
fe0dde |
- with_items:
|
|
|
fe0dde |
- - { path: /etc/sudoers }
|
|
|
fe0dde |
- - "{{ sudoers.files }}"
|
|
|
fe0dde |
+{{{ ansible_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
|
|
|
fe0dde |
index 8c2f2f8240..cd4f829482 100644
|
|
|
fe0dde |
--- a/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
|
|
|
fe0dde |
+++ b/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
|
|
|
fe0dde |
@@ -4,14 +4,4 @@
|
|
|
fe0dde |
# complexity = low
|
|
|
fe0dde |
# disruption = low
|
|
|
fe0dde |
|
|
|
fe0dde |
-for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
|
|
|
fe0dde |
- nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
|
|
|
fe0dde |
- if ! test -z "$nopasswd_list"; then
|
|
|
fe0dde |
- while IFS= read -r nopasswd_entry; do
|
|
|
fe0dde |
- # comment out "NOPASSWD:" matches to preserve user data
|
|
|
fe0dde |
- sed -i "s/^${nopasswd_entry}$/# &/g" $f
|
|
|
fe0dde |
- done <<< "$nopasswd_list"
|
|
|
fe0dde |
-
|
|
|
fe0dde |
- /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
|
|
|
fe0dde |
- fi
|
|
|
fe0dde |
-done
|
|
|
fe0dde |
+{{{ bash_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..6d01825fa8
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh
|
|
|
fe0dde |
@@ -0,0 +1,7 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+# profiles = xccdf_org.ssgproject.content_profile_e8
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+rm -f /etc/sudoers
|
|
|
fe0dde |
+echo "%wheel ALL=(ALL) ALL" > /etc/sudoers
|
|
|
fe0dde |
+echo "Defaults authenticate" > /etc/sudoers
|
|
|
fe0dde |
+chmod 440 /etc/sudoers
|
|
|
fe0dde |
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
|
|
|
fe0dde |
new file mode 100644
|
|
|
fe0dde |
index 0000000000..a2942b97e7
|
|
|
fe0dde |
--- /dev/null
|
|
|
fe0dde |
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh
|
|
|
fe0dde |
@@ -0,0 +1,11 @@
|
|
|
fe0dde |
+#!/bin/bash
|
|
|
fe0dde |
+# profiles = xccdf_org.ssgproject.content_profile_e8
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+echo "%wheel ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
|
|
|
fe0dde |
+echo "Defaults !authenticate" >> /etc/sudoers
|
|
|
fe0dde |
+chmod 440 /etc/sudoers
|
|
|
fe0dde |
+
|
|
|
fe0dde |
+mkdir /etc/sudoers.d/
|
|
|
fe0dde |
+echo "%wheel ALL=(ALL) !authenticate ALL" >> /etc/sudoers.d/sudoers
|
|
|
fe0dde |
+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
|
|
|
fe0dde |
+chmod 440 /etc/sudoers.d/sudoers
|