diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
index 08ffd76aed6..399ca1ea3ce 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/ansible/shared.yml
@@ -4,6 +4,26 @@
# complexity = low
# disruption = low
-{{{ ansible_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !targetpw', create='yes', state='present') }}}
-{{{ ansible_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !rootpw', create='yes', state='present') }}}
-{{{ ansible_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', path='/etc/sudoers', new_line='Defaults !runaspw', create='yes', state='present') }}}
+{{%- macro delete_line_in_sudoers_d(line) %}}
+- name: "Find out if /etc/sudoers.d/* files contain {{{ line }}} to be deduplicated"
+ find:
+ path: "/etc/sudoers.d"
+ patterns: "*"
+ contains: '^{{{ line }}}$'
+ register: sudoers_d_defaults
+
+- name: "Remove found occurrences of {{{ line }}} from /etc/sudoers.d/* files"
+ lineinfile:
+ path: "{{ item.path }}"
+ regexp: "^{{{ line }}}$"
+ state: absent
+ with_items: "{{ sudoers_d_defaults.files }}"
+{{%- endmacro %}}
+
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
+
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !targetpw is defined in sudoers', line_regex='^Defaults !targetpw$', path='/etc/sudoers', new_line='Defaults !targetpw') }}}
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !rootpw is defined in sudoers', line_regex='^Defaults !rootpw$', path='/etc/sudoers', new_line='Defaults !rootpw') }}}
+{{{ ansible_only_lineinfile(msg='Ensure that Defaults !runaspw is defined in sudoers', line_regex='^Defaults !runaspw$', path='/etc/sudoers', new_line='Defaults !runaspw') }}}
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
index ea0ac67fa1c..3b327f3fc88 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/bash/shared.sh
@@ -1,5 +1,17 @@
# platform = multi_platform_all
+{{%- macro delete_line_in_sudoers_d(line) %}}
+if grep -x '^{{{line}}}$' /etc/sudoers.d/*; then
+ find /etc/sudoers.d/ -type f -exec sed -i "/{{{line}}}/d" {} \;
+fi
+{{%- endmacro %}}
+
+{{{- delete_line_in_sudoers_d("Defaults !targetpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !rootpw") }}}
+{{{- delete_line_in_sudoers_d("Defaults !runaspw") }}}
+
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !targetpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !rootpw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
{{{ set_config_file(path="/etc/sudoers", parameter="Defaults !runaspw", value="", create=true, insensitive=false, separator="", separator_regex="", prefix_regex="") }}}
+
+
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
index 646e6bfb7c0..b3fadd53bee 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/oval/shared.xml
@@ -8,17 +8,17 @@
</criteria>
</definition>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
id="test_sudoers_targetpw_config" version="1">
<ind:object object_ref="object_test_sudoers_targetpw_config" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
id="test_sudoers_rootpw_config" version="1">
<ind:object object_ref="object_test_sudoers_rootpw_config" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure invoking user's password for privilege escalation when using sudo"
+ <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Ensure invoking user's password for privilege escalation when using sudo"
id="test_sudoers_runaspw_config" version="1">
<ind:object object_ref="object_test_sudoers_runaspw_config" />
</ind:textfilecontent54_test>
@@ -26,19 +26,19 @@
<ind:textfilecontent54_object id="object_test_sudoers_targetpw_config" version="1">
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
<ind:pattern operation="pattern match">^Defaults !targetpw$\r?\n</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="object_test_sudoers_rootpw_config" version="1">
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
<ind:pattern operation="pattern match">^Defaults !rootpw$\r?\n</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
<ind:textfilecontent54_object id="object_test_sudoers_runaspw_config" version="1">
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
<ind:pattern operation="pattern match">^Defaults !runaspw$\r?\n</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
+ <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
</def-group>
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
index ccc29b77d15..698021d8fd0 100644
--- a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml
@@ -42,7 +42,8 @@ ocil_clause: 'invoke user passwd when using sudo'
ocil: |-
Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
<pre> sudo egrep -i '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#'</pre>
- If no results are returned, this is a finding
+ If no results are returned, this is a finding.
+ If results are returned from more than one file location, this is a finding.
If "Defaults !targetpw" is not defined, this is a finding.
If "Defaults !rootpw" is not defined, this is a finding.
If "Defaults !runaspw" is not defined, this is a finding.
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
new file mode 100644
index 00000000000..a258d108a00
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_d_duplicate.fail.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
+# packages = sudo
+
+echo 'Defaults !targetpw' >> /etc/sudoers
+echo 'Defaults !rootpw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers
+echo 'Defaults !targetpw' >> /etc/sudoers.d/00-complianceascode.conf
+echo 'Defaults !rootpw' >> /etc/sudoers.d/00-complianceascode.conf
+echo 'Defaults !runaspw' >> /etc/sudoers.d/00-complianceascode.conf
diff --git a/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
new file mode 100644
index 00000000000..6247b5230e4
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_validate_passwd/tests/sudoers_validate_passwd_duplicates.fail.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,SUSE Linux Enterprise 15
+# packages = sudo
+
+echo 'Defaults !targetpw' >> /etc/sudoers
+echo 'Defaults !rootpw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers
+echo 'Defaults !runaspw' >> /etc/sudoers