|
 |
07cb6b |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
|
|
07cb6b |
index 08ffd76aed6..399ca1ea3ce 100644
|
|
|
07cb6b |
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
|
|
07cb6b |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
|
|
|
07cb6b |
@@ -4,6 +4,26 @@
|
|
|
07cb6b |
# complexity = low
|
|
|
07cb6b |
# disruption = low
|
|
|
07cb6b |
|
|
|
07cb6b |
-{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}}
|
|
|
07cb6b |
-{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}}
|
|
|
07cb6b |
-{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}}
|
|
|
07cb6b |
+{{%- macro delete_line_in_sudoers_d(line) %}}
|
|
|
07cb6b |
+- name: "Find out if /etc/sudoers.d/* files contain {{{ line }}} to be deduplicated"
|
|
|
07cb6b |
+ find:
|
|
|
07cb6b |
+ path: "/etc/sudoers.d"
|
|
|
07cb6b |
+ patterns: "*"
|
|
|
07cb6b |
+ contains: '^{{{ line }}}$'
|
|
|
07cb6b |
+ register: sudoers_d_defaults
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+- name: "Remove found occurrences of {{{ line }}} from /etc/sudoers.d/* files"
|
|
|
07cb6b |
+ lineinfile:
|
|
|
07cb6b |
+ path: "{{ item.path }}"
|
|
|
07cb6b |
+ regexp: "^{{{ line }}}$"
|
|
|
07cb6b |
+ state: absent
|
|
|
07cb6b |
+ with_items: "{{ sudoers_d_defaults.files }}"
|
|
|
07cb6b |
+{{%- endmacro %}}
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
|
|
|
07cb6b |
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
|
|
|
07cb6b |
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
|
|
|
07cb6b |
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
|
|
|
07cb6b |
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
|
|
07cb6b |
index ea0ac67fa1c..3b327f3fc88 100644
|
|
|
07cb6b |
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
|
|
07cb6b |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
|
|
|
07cb6b |
@@ -1,5 +1,17 @@
|
|
|
07cb6b |
# platform = multi_platform_all
|
|
|
07cb6b |
|
|
|
07cb6b |
+{{%- macro delete_line_in_sudoers_d(line) %}}
|
|
|
07cb6b |
+if grep -x '^{{{line}}}$' /etc/sudoers.d/*; then
|
|
|
07cb6b |
+ find /etc/sudoers.d/ -type f -exec sed -i "/{{{line}}}/d" {} \;
|
|
|
07cb6b |
+fi
|
|
|
07cb6b |
+{{%- endmacro %}}
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
|
|
|
07cb6b |
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
|
|
|
07cb6b |
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
|
|
|
07cb6b |
+
|
|
|
07cb6b |
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
|
|
07cb6b |
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
|
|
07cb6b |
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
07cb6b |
index 646e6bfb7c0..b3fadd53bee 100644
|
|
|
07cb6b |
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
07cb6b |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
|
|
|
07cb6b |
@@ -8,17 +8,17 @@
|
|
|
07cb6b |
</criteria>
|
|
|
07cb6b |
</definition>
|
|
|
07cb6b |
|
|
|
07cb6b |
-
|
|
|
07cb6b |
+
|
|
|
07cb6b |
id="test_sudoers_targetpw_config" version="1">
|
|
|
07cb6b |
<ind:object object_ref="object_test_sudoers_targetpw_config" />
|
|
|
07cb6b |
</ind:textfilecontent54_test>
|
|
|
07cb6b |
|
|
|
07cb6b |
-
|
|
|
07cb6b |
+
|
|
|
07cb6b |
id="test_sudoers_rootpw_config" version="1">
|
|
|
07cb6b |
<ind:object object_ref="object_test_sudoers_rootpw_config" />
|
|
|
07cb6b |
</ind:textfilecontent54_test>
|
|
|
07cb6b |
|
|
|
07cb6b |
-
|
|
|
07cb6b |
+
|
|
|
07cb6b |
id="test_sudoers_runaspw_config" version="1">
|
|
|
07cb6b |
<ind:object object_ref="object_test_sudoers_runaspw_config" />
|
|
|
07cb6b |
</ind:textfilecontent54_test>
|
|
|
07cb6b |
@@ -26,19 +26,19 @@
|
|
|
07cb6b |
<ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
|
|
|
07cb6b |
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
|
|
07cb6b |
<ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
|
|
|
07cb6b |
- <ind:instance datatype="int">1</ind:instance>
|
|
|
07cb6b |
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
|
07cb6b |
</ind:textfilecontent54_object>
|
|
|
07cb6b |
|
|
|
07cb6b |
<ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
|
|
|
07cb6b |
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
|
|
07cb6b |
<ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
|
|
|
07cb6b |
- <ind:instance datatype="int">1</ind:instance>
|
|
|
07cb6b |
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
|
07cb6b |
</ind:textfilecontent54_object>
|
|
|
07cb6b |
|
|
|
07cb6b |
<ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
|
|
|
07cb6b |
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
|
|
|
07cb6b |
<ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
|
|
|
07cb6b |
- <ind:instance datatype="int">1</ind:instance>
|
|
|
07cb6b |
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
|
|
|
07cb6b |
</ind:textfilecontent54_object>
|
|
|
07cb6b |
|
|
|
07cb6b |
</def-group>
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
07cb6b |
index ccc29b77d15..698021d8fd0 100644
|
|
|
07cb6b |
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
07cb6b |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
|
|
|
07cb6b |
@@ -42,7 +42,8 @@ ocil_clause: 'invoke user passwd when using sudo'
|
|
|
07cb6b |
ocil: |-
|
|
|
07cb6b |
Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
|
|
|
07cb6b |
sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'
|
|
|
07cb6b |
- If no results are returned, this is a finding
|
|
|
07cb6b |
+ If no results are returned, this is a finding.
|
|
|
07cb6b |
+ If results are returned from more than one file location, this is a finding.
|
|
|
07cb6b |
If "Defaults !targetpw" is not defined, this is a finding.
|
|
|
07cb6b |
If "Defaults !rootpw" is not defined, this is a finding.
|
|
|
07cb6b |
If "Defaults !runaspw" is not defined, this is a finding.
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..a258d108a00
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
|
|
|
07cb6b |
@@ -0,0 +1,9 @@
|
|
|
07cb6b |
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
|
|
|
07cb6b |
+# packages = sudo
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+echo 'Defaults !targetpw' >> /etc/sudoers
|
|
|
07cb6b |
+echo 'Defaults !rootpw' >> /etc/sudoers
|
|
|
07cb6b |
+echo 'Defaults !runaspw' >> /etc/sudoers
|
|
|
07cb6b |
+echo 'Defaults !targetpw' >> /etc/sudoers.d/00-complianceascode.conf
|
|
|
07cb6b |
+echo 'Defaults !rootpw' >> /etc/sudoers.d/00-complianceascode.conf
|
|
|
07cb6b |
+echo 'Defaults !runaspw' >> /etc/sudoers.d/00-complianceascode.conf
|
|
|
07cb6b |
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
|
|
|
07cb6b |
new file mode 100644
|
|
|
07cb6b |
index 00000000000..6247b5230e4
|
|
|
07cb6b |
--- /dev/null
|
|
|
07cb6b |
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
|
|
|
07cb6b |
@@ -0,0 +1,7 @@
|
|
|
07cb6b |
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
|
|
|
07cb6b |
+# packages = sudo
|
|
|
07cb6b |
+
|
|
|
07cb6b |
+echo 'Defaults !targetpw' >> /etc/sudoers
|
|
|
07cb6b |
+echo 'Defaults !rootpw' >> /etc/sudoers
|
|
|
07cb6b |
+echo 'Defaults !runaspw' >> /etc/sudoers
|
|
|
07cb6b |
+echo 'Defaults !runaspw' >> /etc/sudoers
|