Blame SOURCES/scap-security-guide-0.1.61-sudoers_timestamp_timeout-PR_8220.patch

5fd106
From 573ae69742cf372d41da6c56a3051745326055cd Mon Sep 17 00:00:00 2001
ff1465
From: Gabriel Becker <ggasparb@redhat.com>
5fd106
Date: Mon, 14 Feb 2022 15:54:37 +0100
5fd106
Subject: [PATCH] Update RHEL-08-010385 to allow only one occurrence of config.
ff1465
5fd106
This configuration must appear at only one place so it doesn't get
5fd106
overriden by a different file that can loaded on a different order and
5fd106
the intended configuration is replaced by non-compliant value.
ff1465
---
5fd106
 .../ansible/shared.yml                        | 36 ++++++++++++++++++
5fd106
 .../bash/shared.sh                            | 38 +++++++++++++++++++
ff1465
 .../oval/shared.xml                           |  4 +-
ff1465
 .../sudo_require_reauthentication/rule.yml    | 14 +------
ff1465
 .../tests/multiple_correct_value.fail.sh      | 10 +++++
5fd106
 5 files changed, 87 insertions(+), 15 deletions(-)
ff1465
 create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
ff1465
 create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
ff1465
 create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
ff1465
ff1465
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
ff1465
new file mode 100644
5fd106
index 00000000000..b0c67a69af9
ff1465
--- /dev/null
ff1465
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
ff1465
@@ -0,0 +1,36 @@
ff1465
+# platform = multi_platform_all
ff1465
+# reboot = false
ff1465
+# strategy = restrict
ff1465
+# complexity = low
ff1465
+# disruption = low
ff1465
+
ff1465
+{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}}
ff1465
+- name: "Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to be deduplicated"
ff1465
+  find:
ff1465
+    path: "/etc/sudoers.d"
ff1465
+    patterns: "*"
ff1465
+    contains: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
ff1465
+  register: sudoers_d_defaults_timestamp_timeout
ff1465
+
ff1465
+- name: "Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/* files"
ff1465
+  lineinfile:
ff1465
+    path: "{{ item.path }}"
ff1465
+    regexp: '^[\s]*Defaults\s.*\btimestamp_timeout=.*'
ff1465
+    state: absent
ff1465
+  with_items: "{{ sudoers_d_defaults_timestamp_timeout.files }}"
ff1465
+
ff1465
+- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers
ff1465
+  lineinfile:
ff1465
+    path: /etc/sudoers
ff1465
+    regexp: '^[\s]*Defaults\s(.*)\btimestamp_timeout=[-]?\w+\b(.*)$'
ff1465
+    line: 'Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2'
ff1465
+    validate: /usr/sbin/visudo -cf %s
ff1465
+    backrefs: yes
ff1465
+  register: edit_sudoers_timestamp_timeout_option
ff1465
+
ff1465
+- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers
ff1465
+  lineinfile: # noqa 503
ff1465
+    path: /etc/sudoers
ff1465
+    line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}'
ff1465
+    validate: /usr/sbin/visudo -cf %s
ff1465
+  when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
ff1465
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
ff1465
new file mode 100644
5fd106
index 00000000000..0b623ed4a49
ff1465
--- /dev/null
ff1465
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
5fd106
@@ -0,0 +1,38 @@
ff1465
+# platform = multi_platform_all
ff1465
+# reboot = false
ff1465
+# strategy = restrict
ff1465
+# complexity = low
ff1465
+# disruption = low
ff1465
+
ff1465
+
ff1465
+{{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}}
ff1465
+
ff1465
+if grep -x '^[\s]*Defaults.*\btimestamp_timeout=.*' /etc/sudoers.d/*; then
ff1465
+    find /etc/sudoers.d/ -type f -exec sed -i "/^[\s]*Defaults.*\btimestamp_timeout=.*/d" {} \;
ff1465
+fi
ff1465
+
ff1465
+if /usr/sbin/visudo -qcf /etc/sudoers; then
ff1465
+    cp /etc/sudoers /etc/sudoers.bak
ff1465
+    if ! grep -P '^[\s]*Defaults.*\btimestamp_timeout=[-]?\w+\b\b.*$' /etc/sudoers; then
ff1465
+        # sudoers file doesn't define Option timestamp_timeout
ff1465
+        echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
ff1465
+    else
ff1465
+        # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
ff1465
+        if ! grep -P "^[\s]*Defaults.*\btimestamp_timeout=${var_sudo_timestamp_timeout}\b.*$" /etc/sudoers; then
ff1465
+            
ff1465
+            sed -Ei "s/(^[\s]*Defaults.*\btimestamp_timeout=)[-]?\w+(\b.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
ff1465
+        fi
ff1465
+    fi
ff1465
+    
ff1465
+    # Check validity of sudoers and cleanup bak
ff1465
+    if /usr/sbin/visudo -qcf /etc/sudoers; then
ff1465
+        rm -f /etc/sudoers.bak
ff1465
+    else
ff1465
+        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
ff1465
+        mv /etc/sudoers.bak /etc/sudoers
ff1465
+        false
ff1465
+    fi
ff1465
+else
ff1465
+    echo "Skipping remediation, /etc/sudoers failed to validate"
ff1465
+    false
ff1465
+fi
ff1465
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
5fd106
index 8f404ca6065..dfc319b6f1f 100644
ff1465
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
ff1465
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
ff1465
@@ -6,13 +6,13 @@
ff1465
     </criteria>
ff1465
   </definition>
ff1465
 
ff1465
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
ff1465
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
ff1465
     <ind:object object_ref="obj_sudo_timestamp_timeout"/>
ff1465
     <ind:state state_ref="state_sudo_timestamp_timeout" />
ff1465
   </ind:textfilecontent54_test>
ff1465
 
ff1465
   <ind:textfilecontent54_object id="obj_sudo_timestamp_timeout" version="1">
ff1465
-    <ind:filepath>/etc/sudoers</ind:filepath>
ff1465
+    <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
ff1465
     <ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout=([-]?[\d]+)$</ind:pattern>
ff1465
     <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
ff1465
   </ind:textfilecontent54_object>
ff1465
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
5fd106
index 42c6e28f9e6..eebb96678f1 100644
ff1465
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
ff1465
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml
5fd106
@@ -50,16 +50,4 @@ ocil: |-
ff1465
     
sudo grep -ri '^Defaults.*timestamp_timeout' /etc/sudoers /etc/sudoers.d
ff1465
     The output should be:
ff1465
     
/etc/sudoers:Defaults timestamp_timeout=0
or "timestamp_timeout" is set to a positive number.
ff1465
-
ff1465
-template:
ff1465
-    name: sudo_defaults_option
ff1465
-    vars:
ff1465
-        option: timestamp_timeout
ff1465
-        variable_name: "var_sudo_timestamp_timeout"
ff1465
-        # optional minus char added so remediation can detect properly if item is already configured
ff1465
-        option_regex_suffix: '=[-]?\w+\b'
ff1465
-    backends:
ff1465
-        # Template is not able to accomodate this particular check.
ff1465
-        # It needs to check for an integer greater than or equal to zero
ff1465
-        oval: "off"
ff1465
-        
ff1465
+    If results are returned from more than one file location, this is a finding.
ff1465
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
ff1465
new file mode 100644
5fd106
index 00000000000..a258d6632b5
ff1465
--- /dev/null
ff1465
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_correct_value.fail.sh
ff1465
@@ -0,0 +1,10 @@
ff1465
+#!/bin/bash
ff1465
+
ff1465
+
ff1465
+if grep -q 'timestamp_timeout' /etc/sudoers; then
ff1465
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers
ff1465
+else
ff1465
+	echo "Defaults timestamp_timeout=3" >> /etc/sudoers
ff1465
+fi
ff1465
+
ff1465
+echo "Defaults timestamp_timeout=3" > /etc/sudoers.d/00-complianceascode-test.conf