From ddd0683975f94be4eff811b89864e40521f11b02 Mon Sep 17 00:00:00 2001
From: sampsone <esampson@suse.com>
Date: Wed, 17 Mar 2021 15:46:16 -0500
Subject: [PATCH 1/5] SLES-15-020101 add rule and tests, no remediation.
---
.../oval/shared.xml | 35 +++++++++++++++++
.../rule.yml | 38 +++++++++++++++++++
.../tests/simple.fail.sh | 5 +++
.../tests/simple.pass.sh | 5 +++
.../tests/sudoers_d.fail.sh | 5 +++
6 files changed, 89 insertions(+)
create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml
create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml
new file mode 100644
index 00000000000..f6a6b2fbb73
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml
@@ -0,0 +1,35 @@
+<def-group>
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Check that sudoers doesn't allow all users to run commands via sudo") }}}
+ <criteria operator="AND">
+ <criterion comment="Make sure that sudoers has restrictions on which users can run sudo for any target user" test_ref="test_not_all_users_can_sudo" />
+ <criterion comment="Make sure that sudoers has restrictions on which users can run sudo for any target group" test_ref="test_not_all_users_can_sudo_to_group" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="Make sure that sudoers has restrictions on which users can run sudo"
+ id="test_not_all_users_can_sudo" version="1">
+ <ind:object object_ref="object_sudoers_cfg_spec_all_users" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_sudoers_cfg_spec_all_users" version="1">
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
+ <ind:pattern operation="pattern match">^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="Make sure that sudoers has restrictions on which users can run sudo"
+ id="test_not_all_users_can_sudo_to_group" version="1">
+ <ind:object object_ref="object_sudoers_cfg_spec_all_group" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object id="object_sudoers_cfg_spec_all_group" version="1">
+ <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
+ <ind:pattern operation="pattern match">^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
new file mode 100644
index 00000000000..523dd62d91e
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'The operating system must restrict privilege elevation to authorized personnel'
+
+prodtype: sle15
+
+description: |-
+ The sudo command allows a user to execute programs with elevated
+ (administrator) privileges. It prompts the user for their password
+ and confirms your request to execute a command by checking a file,
+ called sudoers.
+
+rationale: |-
+ If the "sudoers" file is not configured correctly, any user defined
+ on the system can initiate privileged actions on the target system.
+
+severity: medium
+
+identifiers:
+ CCE-85712-8
+
+references:
+ nist: CM-6(b),CM-6(iv)
+ disa@sle15: CCI-000366
+ stig@sle15: SLES-15-020101
+
+ocil_clause: 'Verify the "sudoers" file restricts sudo access to authorized personnel.'
+
+ocil: |-
+ To determine if "sudoers" file, restricts sudo access, run the following commands:
+ <pre>$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*</pre>
+ <pre>$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*</pre>
+ Both commands should return no output.
+
+platform: sudo
+
+warnings:
+ - general: This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh
new file mode 100644
index 00000000000..bc1f7aaf5a5
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh
@@ -0,0 +1,5 @@
+# platform = SUSE Linux Enterprise 15
+# packages = sudo
+
+echo 'ALL ALL=(ALL) ALL' > /etc/sudoers
+echo 'ALL ALL=(ALL:ALL) ALL' > /etc/sudoers.d/foo
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh
new file mode 100644
index 00000000000..9d38ecc7f92
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh
@@ -0,0 +1,5 @@
+# platform = SUSE Linux Enterprise 15
+# packages = sudo
+
+echo 'user ALL=(admin) ALL' > /etc/sudoers
+echo 'user ALL=(admin:admin) ALL' > /etc/sudoers.d/foo
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh
new file mode 100644
index 00000000000..f5f156829b8
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh
@@ -0,0 +1,5 @@
+# platform = SUSE Linux Enterprise 15
+# packages = sudo
+# remediation = none
+
+echo 'ALL ALL=(ALL:ALL) ALL' > /etc/sudoers.d/foo
From 53096e65642f535184d4e566c4a04778d4efc3d2 Mon Sep 17 00:00:00 2001
From: Earl Sampson <ESampson@suse.com>
Date: Tue, 23 Mar 2021 08:33:03 -0500
Subject: [PATCH 2/5] Update
linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
---
.../sudo_restrict_privilege_elevation_to_authorized/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
index 523dd62d91e..0e8ebcba9b6 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
@@ -17,7 +17,7 @@ rationale: |-
severity: medium
identifiers:
- CCE-85712-8
+ cce@sle15: CCE-85712-8
references:
nist: CM-6(b),CM-6(iv)
From 1e6fe4161834d10c6423b177973e25cbc29b2049 Mon Sep 17 00:00:00 2001
From: Earl Sampson <ESampson@suse.com>
Date: Tue, 23 Mar 2021 13:24:23 -0500
Subject: [PATCH 3/5] make warning multiline
---
.../sudo_restrict_privilege_elevation_to_authorized/rule.yml | 4 +++ -
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
index 0e8ebcba9b6..ba79902bc22 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
@@ -35,4 +35,6 @@ ocil: |-
platform: sudo
warnings:
- - general: This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.
+- general: |-
+ This rule doesn't come with a remediation, as the exact requirement allows exceptions,
+ and removing lines from the sudoers file can make the system non-administrable.
From 7948d5b5fbc9fe7d9d0194dc162feef6996d62c5 Mon Sep 17 00:00:00 2001
From: sampsone <esampson@suse.com>
Date: Wed, 24 Mar 2021 10:03:22 -0500
Subject: [PATCH 4/5] Macro-ize sudoers check
---
.../oval/shared.xml | 40 ++++++++-----------
1 file changed, 16 insertions(+), 24 deletions(-)
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml
index f6a6b2fbb73..c7790c4da2f 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml
@@ -1,35 +1,27 @@
<def-group>
- <definition class="compliance" id="{{{ rule_id }}}" version="1">
- {{{ oval_metadata("Check that sudoers doesn't allow all users to run commands via sudo") }}}
- <criteria operator="AND">
- <criterion comment="Make sure that sudoers has restrictions on which users can run sudo for any target user" test_ref="test_not_all_users_can_sudo" />
- <criterion comment="Make sure that sudoers has restrictions on which users can run sudo for any target group" test_ref="test_not_all_users_can_sudo_to_group" />
- </criteria>
- </definition>
-
+ {{% macro check_sudoers(scope, pattern) %}}
<ind:textfilecontent54_test check="all" check_existence="none_exist"
comment="Make sure that sudoers has restrictions on which users can run sudo"
- id="test_not_all_users_can_sudo" version="1">
- <ind:object object_ref="object_sudoers_cfg_spec_all_users" />
+ id="test_not_all_users_can_sudo_to_{{{ scope }}}" version="1">
+ <ind:object object_ref="object_sudoers_cfg_spec_all_{{{ scope }}}" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_object id="object_sudoers_cfg_spec_all_users" version="1">
+ <ind:textfilecontent54_object id="object_sudoers_cfg_spec_all_{{{ scope }}}" version="1">
<ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
- <ind:pattern operation="pattern match">^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$</ind:pattern>
+ <ind:pattern operation="pattern match">{{{ pattern }}}</ind:pattern>
<ind:instance datatype="int">1</ind:instance>
</ind:textfilecontent54_object>
+ {{% endmacro %}}
+
+ <definition class="compliance" id="{{{ rule_id }}}" version="1">
+ {{{ oval_metadata("Check that sudoers doesn't allow all users to run commands via sudo") }}}
+ <criteria operator="AND">
+ <criterion comment="Make sure that sudoers has restrictions on which users can run sudo for any target user" test_ref="test_not_all_users_can_sudo_to_users" />
+ <criterion comment="Make sure that sudoers has restrictions on which users can run sudo for any target group" test_ref="test_not_all_users_can_sudo_to_group" />
+ </criteria>
+ </definition>
-
- <ind:textfilecontent54_test check="all" check_existence="none_exist"
- comment="Make sure that sudoers has restrictions on which users can run sudo"
- id="test_not_all_users_can_sudo_to_group" version="1">
- <ind:object object_ref="object_sudoers_cfg_spec_all_group" />
- </ind:textfilecontent54_test>
-
- <ind:textfilecontent54_object id="object_sudoers_cfg_spec_all_group" version="1">
- <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
- <ind:pattern operation="pattern match">^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*</ind:pattern>
- <ind:instance datatype="int">1</ind:instance>
- </ind:textfilecontent54_object>
+ {{{ check_sudoers(scope='users',pattern='^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$') }}}
+ {{{ check_sudoers(scope='group',pattern='^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*') }}}
</def-group>
From 875413af52022a4aedfc97be5bc39b1af25041ca Mon Sep 17 00:00:00 2001
From: Earl Sampson <ESampson@suse.com>
Date: Fri, 26 Mar 2021 10:28:26 -0500
Subject: [PATCH 5/5] Update
linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
Co-authored-by: Gabriel Becker <ggasparb@redhat.com>
---
.../sudo_restrict_privilege_elevation_to_authorized/rule.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
index ba79902bc22..8449bcade65 100644
--- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml
@@ -24,7 +24,7 @@ references:
disa@sle15: CCI-000366
stig@sle15: SLES-15-020101
-ocil_clause: 'Verify the "sudoers" file restricts sudo access to authorized personnel.'
+ocil_clause: '/etc/sudoers file does not restrict sudo access to authorized personnel'
ocil: |-
To determine if "sudoers" file, restricts sudo access, run the following commands: