From ddd0683975f94be4eff811b89864e40521f11b02 Mon Sep 17 00:00:00 2001 From: sampsone Date: Wed, 17 Mar 2021 15:46:16 -0500 Subject: [PATCH 1/5] SLES-15-020101 add rule and tests, no remediation. --- .../oval/shared.xml | 35 +++++++++++++++++ .../rule.yml | 38 +++++++++++++++++++ .../tests/simple.fail.sh | 5 +++ .../tests/simple.pass.sh | 5 +++ .../tests/sudoers_d.fail.sh | 5 +++ 6 files changed, 89 insertions(+) create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh create mode 100644 linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml new file mode 100644 index 00000000000..f6a6b2fbb73 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml @@ -0,0 +1,35 @@ + + + {{{ oval_metadata("Check that sudoers doesn't allow all users to run commands via sudo") }}} + + + + + + + + + + + + ^/etc/sudoers(\.d/.*)?$ + ^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$ + 1 + + + + + + + + + ^/etc/sudoers(\.d/.*)?$ + ^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s* + 1 + + + diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml new file mode 100644 index 00000000000..523dd62d91e --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -0,0 +1,38 @@ +documentation_complete: true + +title: 'The operating system must restrict privilege elevation to authorized personnel' + +prodtype: sle15 + +description: |- + The sudo command allows a user to execute programs with elevated + (administrator) privileges. It prompts the user for their password + and confirms your request to execute a command by checking a file, + called sudoers. + +rationale: |- + If the "sudoers" file is not configured correctly, any user defined + on the system can initiate privileged actions on the target system. + +severity: medium + +identifiers: + CCE-85712-8 + +references: + nist: CM-6(b),CM-6(iv) + disa@sle15: CCI-000366 + stig@sle15: SLES-15-020101 + +ocil_clause: 'Verify the "sudoers" file restricts sudo access to authorized personnel.' + +ocil: |- + To determine if "sudoers" file, restricts sudo access, run the following commands: + 
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
+ 
$ sudo grep -PR '^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*$' /etc/sudoers /etc/sudoers.d/*
+ Both commands should return no output. + +platform: sudo + +warnings: + - general: This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable. diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh new file mode 100644 index 00000000000..bc1f7aaf5a5 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.fail.sh @@ -0,0 +1,5 @@ +# platform = SUSE Linux Enterprise 15 +# packages = sudo + +echo 'ALL ALL=(ALL) ALL' > /etc/sudoers +echo 'ALL ALL=(ALL:ALL) ALL' > /etc/sudoers.d/foo diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh new file mode 100644 index 00000000000..9d38ecc7f92 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/simple.pass.sh @@ -0,0 +1,5 @@ +# platform = SUSE Linux Enterprise 15 +# packages = sudo + +echo 'user ALL=(admin) ALL' > /etc/sudoers +echo 'user ALL=(admin:admin) ALL' > /etc/sudoers.d/foo diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh new file mode 100644 index 00000000000..f5f156829b8 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/tests/sudoers_d.fail.sh @@ -0,0 +1,5 @@ +# platform = SUSE Linux Enterprise 15 +# packages = sudo +# remediation = none + +echo 'ALL ALL=(ALL:ALL) ALL' > /etc/sudoers.d/foo From 53096e65642f535184d4e566c4a04778d4efc3d2 Mon Sep 17 00:00:00 2001 From: Earl Sampson Date: Tue, 23 Mar 2021 08:33:03 -0500 Subject: [PATCH 2/5] Update linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml Co-authored-by: Gabriel Becker --- .../sudo_restrict_privilege_elevation_to_authorized/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index 523dd62d91e..0e8ebcba9b6 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -17,7 +17,7 @@ rationale: |- severity: medium identifiers: - CCE-85712-8 + cce@sle15: CCE-85712-8 references: nist: CM-6(b),CM-6(iv) From 1e6fe4161834d10c6423b177973e25cbc29b2049 Mon Sep 17 00:00:00 2001 From: Earl Sampson Date: Tue, 23 Mar 2021 13:24:23 -0500 Subject: [PATCH 3/5] make warning multiline --- .../sudo_restrict_privilege_elevation_to_authorized/rule.yml | 4 +++ - 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index 0e8ebcba9b6..ba79902bc22 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -35,4 +35,6 @@ ocil: |- platform: sudo warnings: - - general: This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable. +- general: |- + This rule doesn't come with a remediation, as the exact requirement allows exceptions, + and removing lines from the sudoers file can make the system non-administrable. From 7948d5b5fbc9fe7d9d0194dc162feef6996d62c5 Mon Sep 17 00:00:00 2001 From: sampsone Date: Wed, 24 Mar 2021 10:03:22 -0500 Subject: [PATCH 4/5] Macro-ize sudoers check --- .../oval/shared.xml | 40 ++++++++----------- 1 file changed, 16 insertions(+), 24 deletions(-) diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml index f6a6b2fbb73..c7790c4da2f 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/oval/shared.xml @@ -1,35 +1,27 @@ - - {{{ oval_metadata("Check that sudoers doesn't allow all users to run commands via sudo") }}} - - - - - - + {{% macro check_sudoers(scope, pattern) %}} - + id="test_not_all_users_can_sudo_to_{{{ scope }}}" version="1"> + - + ^/etc/sudoers(\.d/.*)?$ - ^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$ + {{{ pattern }}} 1 + {{% endmacro %}} + + + {{{ oval_metadata("Check that sudoers doesn't allow all users to run commands via sudo") }}} + + + + + - - - - - - - ^/etc/sudoers(\.d/.*)?$ - ^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s* - 1 - + {{{ check_sudoers(scope='users',pattern='^\s*ALL\s+ALL\=\(ALL\)\s+ALL\s*$') }}} + {{{ check_sudoers(scope='group',pattern='^\s*ALL\s+ALL\=\(ALL\:ALL\)\s+ALL\s*') }}} From 875413af52022a4aedfc97be5bc39b1af25041ca Mon Sep 17 00:00:00 2001 From: Earl Sampson Date: Fri, 26 Mar 2021 10:28:26 -0500 Subject: [PATCH 5/5] Update linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml Co-authored-by: Gabriel Becker --- .../sudo_restrict_privilege_elevation_to_authorized/rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml index ba79902bc22..8449bcade65 100644 --- a/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml @@ -24,7 +24,7 @@ references: disa@sle15: CCI-000366 stig@sle15: SLES-15-020101 -ocil_clause: 'Verify the "sudoers" file restricts sudo access to authorized personnel.' +ocil_clause: '/etc/sudoers file does not restrict sudo access to authorized personnel' ocil: |- To determine if "sudoers" file, restricts sudo access, run the following commands: