|
 |
a8c580 |
From 7e564ab00c07d31012bb2cede57b0c7f3cd28c76 Mon Sep 17 00:00:00 2001
|
|
|
a8c580 |
From: yarunachalam <yarunachalam@suse.com>
|
|
|
a8c580 |
Date: Thu, 22 Apr 2021 18:58:28 +0000
|
|
|
a8c580 |
Subject: [PATCH 1/6] Add Rule,Test for SLES-15-020103
|
|
|
a8c580 |
|
|
|
a8c580 |
Rule has no remediation.
|
|
|
a8c580 |
---
|
|
|
a8c580 |
.../sudoers_validate_passwd/oval/shared.xml | 44 ++++++++++++++++++
|
|
|
a8c580 |
.../sudo/sudoers_validate_passwd/rule.yml | 45 +++++++++++++++++++
|
|
|
a8c580 |
.../tests/sudoers_validate_passwd_fail.sh | 7 +++
|
|
|
a8c580 |
.../tests/sudoers_validate_passwd_pass.sh | 6 +++
|
|
|
a8c580 |
.../tests/sudoers_validate_rootpw_fail.sh | 7 +++
|
|
|
a8c580 |
.../tests/sudoers_validate_runaspw_fail.sh | 7 +++
|
|
|
a8c580 |
.../tests/sudoers_validate_targetpw_fail.sh | 7 +++
|
|
|
a8c580 |
8 files changed, 125 insertions(+)
|
|
|
a8c580 |
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
a8c580 |
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh
|
|
|
a8c580 |
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh
|
|
|
a8c580 |
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh
|
|
|
a8c580 |
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh
|
|
|
a8c580 |
create mode 100644 linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh
|
|
|
a8c580 |
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
a8c580 |
new file mode 100644
|
|
|
a8c580 |
index 00000000000..3f33b82b520
|
|
|
a8c580 |
--- /dev/null
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
a8c580 |
@@ -0,0 +1,44 @@
|
|
|
a8c580 |
+<def-group>
|
|
|
a8c580 |
+ <definition class="compliance" id="sudoers_validate_passwd" version="1">
|
|
|
a8c580 |
+ {{{ oval_metadata("Ensure invoking user's password for privilege escalation when using sudo") }}}
|
|
|
a8c580 |
+ <criteria operator="AND">
|
|
|
a8c580 |
+ <criterion comment="Check Defaults !targetpw exists in /etc/sudoers file" test_ref="test_sudoers_targetpw_config" />
|
|
|
a8c580 |
+ <criterion comment="Check Defaults !rootpw exists in /etc/sudoers file" test_ref="test_sudoers_rootpw_config" />
|
|
|
a8c580 |
+ <criterion comment="Check Defaults !runaspw exists in /etc/sudoers file" test_ref="test_sudoers_runaspw_config" />
|
|
|
a8c580 |
+ </criteria>
|
|
|
a8c580 |
+ </definition>
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ id="test_sudoers_targetpw_config" version="1">
|
|
|
a8c580 |
+ <ind:object object_ref="object_test_sudoers_targetpw_config" />
|
|
|
a8c580 |
+ </ind:textfilecontent54_test>
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ id="test_sudoers_rootpw_config" version="1">
|
|
|
a8c580 |
+ <ind:object object_ref="object_test_sudoers_rootpw_config" />
|
|
|
a8c580 |
+ </ind:textfilecontent54_test>
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ id="test_sudoers_runaspw_config" version="1">
|
|
|
a8c580 |
+ <ind:object object_ref="object_test_sudoers_runaspw_config" />
|
|
|
a8c580 |
+ </ind:textfilecontent54_test>
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ <ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
|
|
|
a8c580 |
+ <ind:filepath>/etc/sudoers</ind:filepath>
|
|
|
a8c580 |
+ <ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
|
|
|
a8c580 |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
a8c580 |
+ </ind:textfilecontent54_object>
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ <ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
|
|
|
a8c580 |
+ <ind:filepath>/etc/sudoers</ind:filepath>
|
|
|
a8c580 |
+ <ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
|
|
|
a8c580 |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
a8c580 |
+ </ind:textfilecontent54_object>
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ <ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
|
|
|
a8c580 |
+ <ind:filepath>/etc/sudoers</ind:filepath>
|
|
|
a8c580 |
+ <ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
|
|
|
a8c580 |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
a8c580 |
+ </ind:textfilecontent54_object>
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+</def-group>
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
new file mode 100644
|
|
|
a8c580 |
index 00000000000..cf564c6b533
|
|
|
a8c580 |
--- /dev/null
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
@@ -0,0 +1,45 @@
|
|
|
a8c580 |
+documentation_complete: true
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+title: 'Ensure invoking users password for privilege escalation when using sudo'
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+prodtype: sle15
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+description: |-
|
|
|
a8c580 |
+ The sudoers security policy requires that users authenticate themselves before they can use sudo.
|
|
|
a8c580 |
+ When sudoers requires authentication, it validates the invoking user's credentials.
|
|
|
a8c580 |
+severity: medium
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+rationale: |-
|
|
|
a8c580 |
+ If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt
|
|
|
a8c580 |
+ the invoking user for the "root" user password.
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+identifiers:
|
|
|
a8c580 |
+ cce@sle15: CCE-85747-4
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+references:
|
|
|
a8c580 |
+ disa@sle15: CCI-000366
|
|
|
a8c580 |
+ nist@sle15: CM-6(b),CM-6.1(iv)
|
|
|
a8c580 |
+ srg: SRG-OS-000480-GPOS-00227
|
|
|
a8c580 |
+ stigid@sle15: SLES-15-020103
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ocil_clause: 'invoke user passwd when using sudo'
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ocil: |-
|
|
|
a8c580 |
+ To Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ /etc/sudoers:Defaults !targetpw
|
|
|
a8c580 |
+ /etc/sudoers:Defaults !rootpw
|
|
|
a8c580 |
+ /etc/sudoers:Defaults !runaspw
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ If no results are returned, this is a finding
|
|
|
a8c580 |
+ If "Defaults !targetpw" is not defined, this is a finding.
|
|
|
a8c580 |
+ If "Defaults !rootpw" is not defined, this is a finding.
|
|
|
a8c580 |
+ If "Defaults !runaspw" is not defined, this is a finding.
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ Fix Text: Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ Defaults !targetpw
|
|
|
a8c580 |
+ Defaults !rootpw
|
|
|
a8c580 |
+ Defaults !runaspw
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh
|
|
|
a8c580 |
new file mode 100644
|
|
|
a8c580 |
index 00000000000..d8b33a0ac52
|
|
|
a8c580 |
--- /dev/null
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh
|
|
|
a8c580 |
@@ -0,0 +1,7 @@
|
|
|
a8c580 |
+# platform = SUSE Linux Enterprise 15
|
|
|
a8c580 |
+# packages = sudo
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+if [ $(sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
|
|
|
a8c580 |
+then
|
|
|
a8c580 |
+ sed -i '/Defaults !targetpw/{:a;N;/Defaults !runaspw/!ba};/Defaults !rootpw/d' /etc/sudoers
|
|
|
a8c580 |
+fi
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh
|
|
|
a8c580 |
new file mode 100644
|
|
|
a8c580 |
index 00000000000..f2461085f99
|
|
|
a8c580 |
--- /dev/null
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh
|
|
|
a8c580 |
@@ -0,0 +1,6 @@
|
|
|
a8c580 |
+# platform = SUSE Linux Enterprise 15
|
|
|
a8c580 |
+# packages = sudo
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+echo 'Defaults !targetpw' >> /etc/sudoers
|
|
|
a8c580 |
+echo 'Defaults !rootpw' >> /etc/sudoers
|
|
|
a8c580 |
+echo 'Defaults !runaspw' >> /etc/sudoers
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh
|
|
|
a8c580 |
new file mode 100644
|
|
|
a8c580 |
index 00000000000..9a8f51450cd
|
|
|
a8c580 |
--- /dev/null
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh
|
|
|
a8c580 |
@@ -0,0 +1,7 @@
|
|
|
a8c580 |
+# platform = SUSE Linux Enterprise 15
|
|
|
a8c580 |
+# packages = sudo
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+if [ $(sudo egrep -i '(!rootpw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
|
|
|
a8c580 |
+then
|
|
|
a8c580 |
+ sed -i '/Defaults !rootpw/d' /etc/sudoers
|
|
|
a8c580 |
+fi
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh
|
|
|
a8c580 |
new file mode 100644
|
|
|
a8c580 |
index 00000000000..a455aa14968
|
|
|
a8c580 |
--- /dev/null
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh
|
|
|
a8c580 |
@@ -0,0 +1,7 @@
|
|
|
a8c580 |
+# platform = SUSE Linux Enterprise 15
|
|
|
a8c580 |
+# packages = sudo
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+if [ $(sudo egrep -i '(!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
|
|
|
a8c580 |
+then
|
|
|
a8c580 |
+ sed -i '/Defaults !runaspw/d' /etc/sudoers
|
|
|
a8c580 |
+fi
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh
|
|
|
a8c580 |
new file mode 100644
|
|
|
a8c580 |
index 00000000000..1b18a8f3dc5
|
|
|
a8c580 |
--- /dev/null
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh
|
|
|
a8c580 |
@@ -0,0 +1,7 @@
|
|
|
a8c580 |
+# platform = SUSE Linux Enterprise 15
|
|
|
a8c580 |
+# packages = sudo
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+if [ $(sudo egrep -i '(!targetpw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | wc -l) -ne 0 ]
|
|
|
a8c580 |
+then
|
|
|
a8c580 |
+ sed -i '/Defaults !targetpw/d' /etc/sudoers
|
|
|
a8c580 |
+fi
|
|
|
a8c580 |
|
|
|
a8c580 |
|
|
|
a8c580 |
From d691e2d0183c0254e0d2a095853db373247691ef Mon Sep 17 00:00:00 2001
|
|
|
a8c580 |
From: yarunachalam <40246855+yarunachalam@users.noreply.github.com>
|
|
|
a8c580 |
Date: Fri, 23 Apr 2021 17:09:38 +0000
|
|
|
a8c580 |
Subject: [PATCH 2/6] Update
|
|
|
a8c580 |
linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
|
|
|
a8c580 |
Co-authored-by: vojtapolasek <krecoun@gmail.com>
|
|
|
a8c580 |
---
|
|
|
a8c580 |
.../guide/system/software/sudo/sudoers_validate_passwd/rule.yml | 2 +-
|
|
|
a8c580 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
a8c580 |
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
index cf564c6b533..2ac2153d546 100644
|
|
|
a8c580 |
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
@@ -25,7 +25,7 @@ references:
|
|
|
a8c580 |
ocil_clause: 'invoke user passwd when using sudo'
|
|
|
a8c580 |
|
|
|
a8c580 |
ocil: |-
|
|
|
a8c580 |
- To Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation.
|
|
|
a8c580 |
+ Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalatiob:
|
|
|
a8c580 |
|
|
|
a8c580 |
sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
|
|
|
a8c580 |
|
|
|
a8c580 |
|
|
|
a8c580 |
From eb314afa0554ae9badd47bc218f79e6f276fdc79 Mon Sep 17 00:00:00 2001
|
|
|
a8c580 |
From: yarunachalam <40246855+yarunachalam@users.noreply.github.com>
|
|
|
a8c580 |
Date: Fri, 23 Apr 2021 17:20:57 +0000
|
|
|
a8c580 |
Subject: [PATCH 3/6] Apply suggestions from code review
|
|
|
a8c580 |
|
|
|
a8c580 |
Co-authored-by: vojtapolasek <krecoun@gmail.com>
|
|
|
a8c580 |
---
|
|
|
a8c580 |
.../software/sudo/sudoers_validate_passwd/oval/shared.xml | 4 ++--
|
|
|
a8c580 |
.../system/software/sudo/sudoers_validate_passwd/rule.yml | 2 +-
|
|
|
a8c580 |
2 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
a8c580 |
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
a8c580 |
index 3f33b82b520..1c3a83523c6 100644
|
|
|
a8c580 |
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
a8c580 |
@@ -30,13 +30,13 @@
|
|
|
a8c580 |
</ind:textfilecontent54_object>
|
|
|
a8c580 |
|
|
|
a8c580 |
<ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
|
|
|
a8c580 |
- <ind:filepath>/etc/sudoers</ind:filepath>
|
|
|
a8c580 |
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
|
|
a8c580 |
<ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
|
|
|
a8c580 |
<ind:instance datatype="int">1</ind:instance>
|
|
|
a8c580 |
</ind:textfilecontent54_object>
|
|
|
a8c580 |
|
|
|
a8c580 |
<ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
|
|
|
a8c580 |
- <ind:filepath>/etc/sudoers</ind:filepath>
|
|
|
a8c580 |
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
|
|
a8c580 |
<ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
|
|
|
a8c580 |
<ind:instance datatype="int">1</ind:instance>
|
|
|
a8c580 |
</ind:textfilecontent54_object>
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
index 2ac2153d546..e420e5aa151 100644
|
|
|
a8c580 |
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
@@ -28,7 +28,7 @@ ocil: |-
|
|
|
a8c580 |
Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalatiob:
|
|
|
a8c580 |
|
|
|
a8c580 |
sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
|
|
|
a8c580 |
-
|
|
|
a8c580 |
+The expected output is:
|
|
|
a8c580 |
/etc/sudoers:Defaults !targetpw
|
|
|
a8c580 |
/etc/sudoers:Defaults !rootpw
|
|
|
a8c580 |
/etc/sudoers:Defaults !runaspw
|
|
|
a8c580 |
|
|
|
a8c580 |
From 8b4ae0c13a4992db2e908e1380b81b4d6cbacee1 Mon Sep 17 00:00:00 2001
|
|
|
a8c580 |
From: yarunachalam <yarunachalam@suse.com>
|
|
|
a8c580 |
Date: Fri, 23 Apr 2021 18:27:03 +0000
|
|
|
a8c580 |
Subject: [PATCH 4/6] Updated review comments:
|
|
|
a8c580 |
|
|
|
a8c580 |
- Fixed disa record and removed blank line.
|
|
|
a8c580 |
- Renamed test case file name according the to the format
|
|
|
a8c580 |
- Removed susefirewall2_only_required_services stig from sle15 profile
|
|
|
a8c580 |
---
|
|
|
a8c580 |
.../software/sudo/sudoers_validate_passwd/rule.yml | 14 ++++++--------
|
|
|
a8c580 |
...swd_fail.sh => sudoers_validate_passwd.fail.sh} | 0
|
|
|
a8c580 |
...swd_pass.sh => sudoers_validate_passwd.pass.sh} | 0
|
|
|
a8c580 |
...tpw_fail.sh => sudoers_validate_rootpw.fail.sh} | 0
|
|
|
a8c580 |
...pw_fail.sh => sudoers_validate_runaspw.fail.sh} | 0
|
|
|
a8c580 |
...w_fail.sh => sudoers_validate_targetpw.fail.sh} | 0
|
|
|
a8c580 |
7 files changed, 6 insertions(+), 9 deletions(-)
|
|
|
a8c580 |
rename linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/{sudoers_validate_passwd_fail.sh => sudoers_validate_passwd.fail.sh} (100%)
|
|
|
a8c580 |
rename linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/{sudoers_validate_passwd_pass.sh => sudoers_validate_passwd.pass.sh} (100%)
|
|
|
a8c580 |
rename linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/{sudoers_validate_rootpw_fail.sh => sudoers_validate_rootpw.fail.sh} (100%)
|
|
|
a8c580 |
rename linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/{sudoers_validate_runaspw_fail.sh => sudoers_validate_runaspw.fail.sh} (100%)
|
|
|
a8c580 |
rename linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/{sudoers_validate_targetpw_fail.sh => sudoers_validate_targetpw.fail.sh} (100%)
|
|
|
a8c580 |
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
index e420e5aa151..db636bc59a2 100644
|
|
|
a8c580 |
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
@@ -7,6 +7,11 @@ prodtype: sle15
|
|
|
a8c580 |
description: |-
|
|
|
a8c580 |
The sudoers security policy requires that users authenticate themselves before they can use sudo.
|
|
|
a8c580 |
When sudoers requires authentication, it validates the invoking user's credentials.
|
|
|
a8c580 |
+ Fix Text: Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
|
|
|
a8c580 |
+ Defaults !targetpw
|
|
|
a8c580 |
+ Defaults !rootpw
|
|
|
a8c580 |
+ Defaults !runaspw
|
|
|
a8c580 |
+
|
|
|
a8c580 |
severity: medium
|
|
|
a8c580 |
|
|
|
a8c580 |
rationale: |-
|
|
|
a8c580 |
@@ -17,7 +22,7 @@ identifiers:
|
|
|
a8c580 |
cce@sle15: CCE-85747-4
|
|
|
a8c580 |
|
|
|
a8c580 |
references:
|
|
|
a8c580 |
- disa@sle15: CCI-000366
|
|
|
a8c580 |
+ disa: CCI-000366
|
|
|
a8c580 |
nist@sle15: CM-6(b),CM-6.1(iv)
|
|
|
a8c580 |
srg: SRG-OS-000480-GPOS-00227
|
|
|
a8c580 |
stigid@sle15: SLES-15-020103
|
|
|
a8c580 |
@@ -26,7 +31,6 @@ ocil_clause: 'invoke user passwd when using sudo'
|
|
|
a8c580 |
|
|
|
a8c580 |
ocil: |-
|
|
|
a8c580 |
Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalatiob:
|
|
|
a8c580 |
-
|
|
|
a8c580 |
sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
|
|
|
a8c580 |
The expected output is:
|
|
|
a8c580 |
/etc/sudoers:Defaults !targetpw
|
|
|
a8c580 |
@@ -37,9 +41,3 @@ The expected output is:
|
|
|
a8c580 |
If "Defaults !targetpw" is not defined, this is a finding.
|
|
|
a8c580 |
If "Defaults !rootpw" is not defined, this is a finding.
|
|
|
a8c580 |
If "Defaults !runaspw" is not defined, this is a finding.
|
|
|
a8c580 |
-
|
|
|
a8c580 |
- Fix Text: Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
|
|
|
a8c580 |
-
|
|
|
a8c580 |
- Defaults !targetpw
|
|
|
a8c580 |
- Defaults !rootpw
|
|
|
a8c580 |
- Defaults !runaspw
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh
|
|
|
a8c580 |
similarity index 100%
|
|
|
a8c580 |
rename from linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_fail.sh
|
|
|
a8c580 |
rename to linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.fail.sh
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh
|
|
|
a8c580 |
similarity index 100%
|
|
|
a8c580 |
rename from linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_pass.sh
|
|
|
a8c580 |
rename to linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd.pass.sh
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh
|
|
|
a8c580 |
similarity index 100%
|
|
|
a8c580 |
rename from linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw_fail.sh
|
|
|
a8c580 |
rename to linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_rootpw.fail.sh
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh
|
|
|
a8c580 |
similarity index 100%
|
|
|
a8c580 |
rename from linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw_fail.sh
|
|
|
a8c580 |
rename to linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_runaspw.fail.sh
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh
|
|
|
a8c580 |
similarity index 100%
|
|
|
a8c580 |
rename from linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw_fail.sh
|
|
|
a8c580 |
rename to linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_targetpw.fail.sh
|
|
|
a8c580 |
|
|
|
a8c580 |
|
|
|
a8c580 |
From dfd5d60cb3ef52692e175efe52076495471db994 Mon Sep 17 00:00:00 2001
|
|
|
a8c580 |
From: yarunachalam <40246855+yarunachalam@users.noreply.github.com>
|
|
|
a8c580 |
Date: Fri, 23 Apr 2021 18:32:31 +0000
|
|
|
a8c580 |
Subject: [PATCH 5/6] Apply suggestions from code review
|
|
|
a8c580 |
|
|
|
a8c580 |
Co-authored-by: vojtapolasek <krecoun@gmail.com>
|
|
|
a8c580 |
---
|
|
|
a8c580 |
.../software/sudo/sudoers_validate_passwd/oval/shared.xml | 2 +-
|
|
|
a8c580 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
a8c580 |
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
a8c580 |
index 1c3a83523c6..646e6bfb7c0 100644
|
|
|
a8c580 |
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
a8c580 |
@@ -24,7 +24,7 @@
|
|
|
a8c580 |
</ind:textfilecontent54_test>
|
|
|
a8c580 |
|
|
|
a8c580 |
<ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
|
|
|
a8c580 |
- <ind:filepath>/etc/sudoers</ind:filepath>
|
|
|
a8c580 |
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
|
|
a8c580 |
<ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
|
|
|
a8c580 |
<ind:instance datatype="int">1</ind:instance>
|
|
|
a8c580 |
</ind:textfilecontent54_object>
|
|
|
a8c580 |
|
|
|
a8c580 |
From 244471e24f9e90dd5ef54530f517b1759c87a01f Mon Sep 17 00:00:00 2001
|
|
|
a8c580 |
From: yarunachalam <yarunachalam@suse.com>
|
|
|
a8c580 |
Date: Fri, 23 Apr 2021 19:18:20 +0000
|
|
|
a8c580 |
Subject: [PATCH 6/6] Fixed ocil record
|
|
|
a8c580 |
|
|
|
a8c580 |
---
|
|
|
a8c580 |
.../sudo/sudoers_validate_passwd/rule.yml | 16 ++++++----------
|
|
|
a8c580 |
1 file changed, 6 insertions(+), 10 deletions(-)
|
|
|
a8c580 |
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
index db636bc59a2..d0a90a3723a 100644
|
|
|
a8c580 |
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
a8c580 |
@@ -7,10 +7,11 @@ prodtype: sle15
|
|
|
a8c580 |
description: |-
|
|
|
a8c580 |
The sudoers security policy requires that users authenticate themselves before they can use sudo.
|
|
|
a8c580 |
When sudoers requires authentication, it validates the invoking user's credentials.
|
|
|
a8c580 |
- Fix Text: Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
|
|
|
a8c580 |
- Defaults !targetpw
|
|
|
a8c580 |
- Defaults !rootpw
|
|
|
a8c580 |
- Defaults !runaspw
|
|
|
a8c580 |
+ The expected output for:
|
|
|
a8c580 |
+ sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
|
|
|
a8c580 |
+ /etc/sudoers:Defaults !targetpw
|
|
|
a8c580 |
+ /etc/sudoers:Defaults !rootpw
|
|
|
a8c580 |
+ /etc/sudoers:Defaults !runaspw
|
|
|
a8c580 |
|
|
|
a8c580 |
severity: medium
|
|
|
a8c580 |
|
|
|
a8c580 |
@@ -30,13 +31,8 @@ references:
|
|
|
a8c580 |
ocil_clause: 'invoke user passwd when using sudo'
|
|
|
a8c580 |
|
|
|
a8c580 |
ocil: |-
|
|
|
a8c580 |
- Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalatiob:
|
|
|
a8c580 |
+ Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
|
|
|
a8c580 |
sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
|
|
|
a8c580 |
-The expected output is:
|
|
|
a8c580 |
- /etc/sudoers:Defaults !targetpw
|
|
|
a8c580 |
- /etc/sudoers:Defaults !rootpw
|
|
|
a8c580 |
- /etc/sudoers:Defaults !runaspw
|
|
|
a8c580 |
-
|
|
|
a8c580 |
If no results are returned, this is a finding
|
|
|
a8c580 |
If "Defaults !targetpw" is not defined, this is a finding.
|
|
|
a8c580 |
If "Defaults !rootpw" is not defined, this is a finding.
|