Blob Blame History Raw
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
index 08ffd76aed6..399ca1ea3ce 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
@@ -4,6 +4,26 @@
 # complexity = low
 # disruption = low
 
-{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}}
-{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}}
-{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}}
+{{%- macro delete_line_in_sudoers_d(line) %}}
+- name: "Find out if /etc/sudoers.d/* files contain {{{ line }}} to be deduplicated"
+  find:
+    path: "/etc/sudoers.d"
+    patterns: "*"
+    contains: '^{{{ line }}}$'
+  register: sudoers_d_defaults
+
+- name: "Remove found occurrences of {{{ line }}} from /etc/sudoers.d/* files"
+  lineinfile:
+    path: "{{ item.path }}"
+    regexp: "^{{{ line }}}$"
+    state: absent
+  with_items: "{{ sudoers_d_defaults.files }}"
+{{%- endmacro %}}
+
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
+
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
index ea0ac67fa1c..3b327f3fc88 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
@@ -1,5 +1,17 @@
 # platform = multi_platform_all
 
+{{%- macro delete_line_in_sudoers_d(line) %}}
+if grep -x '^{{{line}}}$' /etc/sudoers.d/*; then
+    find /etc/sudoers.d/ -type f -exec sed -i "/{{{line}}}/d" {} \;
+fi
+{{%- endmacro %}}
+
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
+
 {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
 {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
 {{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
+
+
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
index 646e6bfb7c0..b3fadd53bee 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
@@ -8,17 +8,17 @@
       </criteria>
   </definition>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
   id="test_sudoers_targetpw_config" version="1">
     <ind:object object_ref="object_test_sudoers_targetpw_config" />
   </ind:textfilecontent54_test>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
   id="test_sudoers_rootpw_config" version="1">
     <ind:object object_ref="object_test_sudoers_rootpw_config" />
   </ind:textfilecontent54_test>
 
-  <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+  <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
   id="test_sudoers_runaspw_config" version="1">
     <ind:object object_ref="object_test_sudoers_runaspw_config" />
   </ind:textfilecontent54_test>
@@ -26,19 +26,19 @@
   <ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
     <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
     <ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
     <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
     <ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
   <ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
     <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
     <ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
-    <ind:instance datatype="int">1</ind:instance>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
 </def-group>
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index ccc29b77d15..698021d8fd0 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -42,7 +42,8 @@ ocil_clause: 'invoke user passwd when using sudo'
 ocil: |-
     Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
     <pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
-    If no results are returned, this is a finding
+    If no results are returned, this is a finding.
+    If results are returned from more than one file location, this is a finding.
     If "Defaults !targetpw" is not defined, this is a finding.
     If "Defaults !rootpw" is not defined, this is a finding.
     If "Defaults !runaspw" is not defined, this is a finding.
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
new file mode 100644
index 00000000000..a258d108a00
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
+# packages = sudo
+
+echo 'Defaults !targetpw' >> /etc/sudoers
+echo 'Defaults !rootpw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers
+echo 'Defaults !targetpw' >> /etc/sudoers.d/00-complianceascode.conf
+echo 'Defaults !rootpw' >> /etc/sudoers.d/00-complianceascode.conf
+echo 'Defaults !runaspw' >> /etc/sudoers.d/00-complianceascode.conf
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
new file mode 100644
index 00000000000..6247b5230e4
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
+# packages = sudo
+
+echo 'Defaults !targetpw' >> /etc/sudoers
+echo 'Defaults !rootpw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers