|
 |
a8c580 |
From d97cd9112ba9f3958e6658775a8a31e44bd0f0e9 Mon Sep 17 00:00:00 2001
|
|
|
a8c580 |
From: Watson Sato <wsato@redhat.com>
|
|
|
a8c580 |
Date: Tue, 5 Jan 2021 18:03:24 +0100
|
|
|
a8c580 |
Subject: [PATCH] Add rule sudo_add_passwd_timeout
|
|
|
a8c580 |
|
|
|
a8c580 |
This rule configures sudo password prompt timeout.
|
|
|
a8c580 |
---
|
|
|
a8c580 |
controls/anssi.yml | 3 +-
|
|
|
a8c580 |
.../sudo/sudo_add_passwd_timeout/rule.yml | 40 +++++++++++++++++++
|
|
|
a8c580 |
.../software/sudo/var_sudo_passwd_timeout.var | 21 ++++++++++
|
|
|
a8c580 |
shared/references/cce-redhat-avail.txt | 2 -
|
|
|
a8c580 |
4 files changed, 63 insertions(+), 3 deletions(-)
|
|
|
a8c580 |
create mode 100644 linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
|
|
|
a8c580 |
create mode 100644 linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
|
|
|
a8c580 |
|
|
|
a8c580 |
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
|
|
a8c580 |
index 705f8e25aab..5120456230b 100644
|
|
|
a8c580 |
--- a/controls/anssi.yml
|
|
|
a8c580 |
+++ b/controls/anssi.yml
|
|
|
a8c580 |
@@ -892,7 +892,8 @@ controls:
|
|
|
a8c580 |
- var_sudo_umask=0027
|
|
|
a8c580 |
- sudo_add_ignore_dot
|
|
|
a8c580 |
- sudo_add_env_reset
|
|
|
a8c580 |
- # passwd_timeout=1
|
|
|
a8c580 |
+ - sudo_add_passwd_timeout
|
|
|
a8c580 |
+ - var_sudo_passwd_timeout=1_minute
|
|
|
a8c580 |
|
|
|
a8c580 |
- id: R59
|
|
|
a8c580 |
level: minimal
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
|
|
|
a8c580 |
new file mode 100644
|
|
|
a8c580 |
index 00000000000..ae3399527f4
|
|
|
a8c580 |
--- /dev/null
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml
|
|
|
a8c580 |
@@ -0,0 +1,40 @@
|
|
|
a8c580 |
+documentation_complete: true
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+prodtype: ol7,ol8,rhel7,rhel8
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+title: 'Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout'
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+description: |-
|
|
|
a8c580 |
+ The sudo <tt>passwd_timeout</tt> tag sets the amount of time sudo password prompt waits.
|
|
|
a8c580 |
+{{%- if product in ["rhel7", "rhel8"] %}}
|
|
|
a8c580 |
+ On {{{ full_name }}}, the default <tt>passwd_timeout</tt> value is 5 minutes.
|
|
|
a8c580 |
+{{% endif %}}
|
|
|
a8c580 |
+ The passwd_timeout should be configured by making sure that the
|
|
|
a8c580 |
+ <tt>passwd_timeout=sub_var_value("var_sudo_passwd_timeout")</tt> tag exists in
|
|
|
a8c580 |
+ <tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
|
|
|
a8c580 |
+ in <tt>/etc/sudoers.d/</tt>.
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+rationale: |-
|
|
|
a8c580 |
+ Reducing the time <tt>sudo</tt> waits for a a password reduces the time the process is exposed.
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+severity: medium
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+identifiers:
|
|
|
a8c580 |
+ cce@rhel7: CCE-83963-9
|
|
|
a8c580 |
+ cce@rhel8: CCE-83964-7
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+references:
|
|
|
a8c580 |
+ anssi: BP28(R58)
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ocil_clause: 'passwd_timeout is not set with the appropriate value for sudo'
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+ocil: |-
|
|
|
a8c580 |
+ To determine if <tt>passwd_timeout</tt> has been configured for sudo, run the following command:
|
|
|
a8c580 |
+ $ sudo grep -ri '^Defaults.*passwd_timeout=sub_var_value("var_sudo_passwd_timeout")' /etc/sudoers /etc/sudoers.d/
|
|
|
a8c580 |
+ The command should return a matching output.
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+template:
|
|
|
a8c580 |
+ name: sudo_defaults_option
|
|
|
a8c580 |
+ vars:
|
|
|
a8c580 |
+ option: passwd_timeout
|
|
|
a8c580 |
+ variable_name: "var_sudo_passwd_timeout"
|
|
|
a8c580 |
diff --git a/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
|
|
|
a8c580 |
new file mode 100644
|
|
|
a8c580 |
index 00000000000..4a9dcd5bb7b
|
|
|
a8c580 |
--- /dev/null
|
|
|
a8c580 |
+++ b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var
|
|
|
a8c580 |
@@ -0,0 +1,21 @@
|
|
|
a8c580 |
+documentation_complete: true
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+title: 'Sudo - passwd_timeout value'
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+description: |-
|
|
|
a8c580 |
+ Defines the number of minutes before the <tt>sudo</tt> password prompt times out.
|
|
|
a8c580 |
+ Defining 0 means no timeout. The default timeout value is 5 minutes.
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+interactive: false
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+type: string
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+operator: equals
|
|
|
a8c580 |
+
|
|
|
a8c580 |
+options:
|
|
|
a8c580 |
+ default: "5"
|
|
|
a8c580 |
+ infinite: "0"
|
|
|
a8c580 |
+ 1_minute: "1"
|
|
|
a8c580 |
+ 2_minutes: "2"
|
|
|
a8c580 |
+ 3_minutes: "3"
|
|
|
a8c580 |
+ 5_minutes: "5"
|
|
|
a8c580 |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
a8c580 |
index 61391f50c2d..e095e405f66 100644
|
|
|
a8c580 |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
a8c580 |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
a8c580 |
@@ -349,8 +349,6 @@ CCE-83959-7
|
|
|
a8c580 |
CCE-83960-5
|
|
|
a8c580 |
CCE-83961-3
|
|
|
a8c580 |
CCE-83962-1
|
|
|
a8c580 |
-CCE-83963-9
|
|
|
a8c580 |
-CCE-83964-7
|
|
|
a8c580 |
CCE-83965-4
|
|
|
a8c580 |
CCE-83966-2
|
|
|
a8c580 |
CCE-83967-0
|