rpms / scap-security-guide

Clone
Source Code
GIT

Blame SOURCES/scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   792d3deaca4c7857f92e93e7a5ca1e0ac97e6de5
  2.   SOURCES
  3.   scap-security-guide-0.1.64-stig_sudoers_includes-PR_9283.patch
Blob History Raw
792d3d 
From 7e46b59d2227dea50ca173d799bce7fa14b57ab1 Mon Sep 17 00:00:00 2001
792d3d 
From: Watson Sato <wsato@redhat.com>
792d3d 
Date: Tue, 2 Aug 2022 15:57:52 +0200
792d3d 
Subject: [PATCH 1/2] Accept sudoers files without includes as compliant
792d3d
792d3d 
Update rule sudoers_default_includedir to accept as compliant sudoers
792d3d 
files that don't have any #include or #includedir directive
792d3d 
---
792d3d 
 .../oval/shared.xml                           | 24 +++++++++++++++----
792d3d 
 .../sudo/sudoers_default_includedir/rule.yml  |  8 ++++---
792d3d 
 ...cludedir.fail.sh => no_includedir.pass.sh} |  2 +-
792d3d 
 3 files changed, 26 insertions(+), 8 deletions(-)
792d3d 
 rename linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/{no_includedir.fail.sh => no_includedir.pass.sh} (51%)
792d3d
792d3d 
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
792d3d 
index 59cab0b89de..629fbe8c6d2 100644
792d3d 
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
792d3d 
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
792d3d 
@@ -1,10 +1,16 @@
792d3d 
 <def-group>
792d3d 
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
792d3d 
     {{{ oval_metadata("Check if sudo includes only the default includedir") }}}
792d3d 
-    <criteria operator="AND">
792d3d 
-      <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
792d3d 
-      <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
792d3d 
-      <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
792d3d 
+    <criteria operator="OR">
792d3d 
+      <criteria operator="AND">
792d3d 
+        <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
792d3d 
+        <criterion comment="Check /etc/sudoers doesn't have any #includedir" test_ref="test_sudoers_without_includedir" />
792d3d 
+      </criteria>
792d3d 
+      <criteria operator="AND">
792d3d 
+        <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
792d3d 
+        <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
792d3d 
+        <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
792d3d 
+      </criteria>
792d3d 
     </criteria>
792d3d 
   </definition>
792d3d
792d3d 
@@ -32,6 +38,16 @@
792d3d 
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
792d3d 
   </ind:textfilecontent54_object>
792d3d
792d3d 
+
792d3d 
+      comment="audit augenrules rmmod" id="test_sudoers_without_includedir" version="1">
792d3d 
+    <ind:object object_ref="object_sudoers_without_includedir" />
792d3d 
+  </ind:textfilecontent54_test>
792d3d 
+  <ind:textfilecontent54_object id="object_sudoers_without_includedir" version="1">
792d3d 
+    <ind:filepath>/etc/sudoers</ind:filepath>
792d3d 
+    <ind:pattern operation="pattern match">^#includedir[\s]+.*$</ind:pattern>
792d3d 
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
792d3d 
+  </ind:textfilecontent54_object>
792d3d 
+
792d3d
792d3d 
       comment="audit augenrules rmmod" id="test_sudoersd_without_includes" version="1">
792d3d 
     <ind:object object_ref="object_sudoersd_without_includes" />
792d3d 
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
792d3d 
index aa2aaee19f8..83bfb0183bd 100644
792d3d 
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
792d3d 
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml
792d3d 
@@ -8,9 +8,11 @@ description: |-
792d3d 
     Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include
792d3d 
     other directories and configuration files from the file currently being parsed.
792d3d
792d3d 
-    Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>.
792d3d 
-    The <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
792d3d 
-    <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories.
792d3d 
+    Make sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>,
792d3d 
+    or that no drop-in file is included.
792d3d 
+    Either the <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to
792d3d 
+    <tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories;
792d3d 
+    Or the <tt>/etc/sudoers</tt> should not contain any <tt>#include</tt> or <tt>#includedir</tt> directives.
792d3d 
     Note that the '#' character doesn't denote a comment in the configuration file.
792d3d
792d3d 
 rationale: |-
792d3d 
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
792d3d 
similarity index 51%
792d3d 
rename from linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
792d3d 
rename to linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
792d3d 
index 1e0ab8aea92..fe73cb25076 100644
792d3d 
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.fail.sh
792d3d 
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/tests/no_includedir.pass.sh
792d3d 
@@ -1,4 +1,4 @@
792d3d 
 #!/bin/bash
792d3d 
 # platform = multi_platform_all
792d3d
792d3d 
-sed -i "/#includedir.*/d" /etc/sudoers
792d3d 
+sed -i "/#include(dir)?.*/d" /etc/sudoers
792d3d
792d3d 
From 28967d81eeea19f172ad0fd43ad3f58b203e1411 Mon Sep 17 00:00:00 2001
792d3d 
From: Watson Sato <wsato@redhat.com>
792d3d 
Date: Wed, 3 Aug 2022 12:01:12 +0200
792d3d 
Subject: [PATCH 2/2] Improve definition's comments
792d3d
792d3d 
---
792d3d 
 .../software/sudo/sudoers_default_includedir/oval/shared.xml  | 4 ++--
792d3d 
 1 file changed, 2 insertions(+), 2 deletions(-)
792d3d
792d3d 
diff --git a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
792d3d 
index 629fbe8c6d2..82095acc6ed 100644
792d3d 
--- a/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
792d3d 
+++ b/linux_os/guide/system/software/sudo/sudoers_default_includedir/oval/shared.xml
792d3d 
@@ -8,8 +8,8 @@
792d3d 
       </criteria>
792d3d 
       <criteria operator="AND">
792d3d 
         <criterion comment="Check /etc/sudoers for #includedir" test_ref="test_sudoers_default_includedir" />
792d3d 
-        <criterion comment="Check /etc/sudoers for #include" test_ref="test_sudoers_without_include" />
792d3d 
-        <criterion comment="Check /etc/sudoers.d for includes" test_ref="test_sudoersd_without_includes" />
792d3d 
+        <criterion comment="Check /etc/sudoers doesn't have any #include" test_ref="test_sudoers_without_include" />
792d3d 
+        <criterion comment="Check /etc/sudoers.d doesn't have any #include or #includedir" test_ref="test_sudoersd_without_includes" />
792d3d 
       </criteria>
792d3d 
     </criteria>
792d3d 
   </definition>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation