From d97cd9112ba9f3958e6658775a8a31e44bd0f0e9 Mon Sep 17 00:00:00 2001 From: Watson Sato Date: Tue, 5 Jan 2021 18:03:24 +0100 Subject: [PATCH] Add rule sudo_add_passwd_timeout This rule configures sudo password prompt timeout. --- controls/anssi.yml | 3 +- .../sudo/sudo_add_passwd_timeout/rule.yml | 40 +++++++++++++++++++ .../software/sudo/var_sudo_passwd_timeout.var | 21 ++++++++++ shared/references/cce-redhat-avail.txt | 2 - 4 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml create mode 100644 linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var diff --git a/controls/anssi.yml b/controls/anssi.yml index 705f8e25aab..5120456230b 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -892,7 +892,8 @@ controls: - var_sudo_umask=0027 - sudo_add_ignore_dot - sudo_add_env_reset - # passwd_timeout=1 + - sudo_add_passwd_timeout + - var_sudo_passwd_timeout=1_minute - id: R59 level: minimal diff --git a/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml new file mode 100644 index 00000000000..ae3399527f4 --- /dev/null +++ b/linux_os/guide/system/software/sudo/sudo_add_passwd_timeout/rule.yml @@ -0,0 +1,40 @@ +documentation_complete: true + +prodtype: ol7,ol8,rhel7,rhel8 + +title: 'Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout' + +description: |- + The sudo passwd_timeout tag sets the amount of time sudo password prompt waits. +{{%- if product in ["rhel7", "rhel8"] %}} + On {{{ full_name }}}, the default passwd_timeout value is 5 minutes. +{{% endif %}} + The passwd_timeout should be configured by making sure that the + passwd_timeout=sub_var_value("var_sudo_passwd_timeout") tag exists in + /etc/sudoers configuration file or any sudo configuration snippets + in /etc/sudoers.d/. + +rationale: |- + Reducing the time sudo waits for a a password reduces the time the process is exposed. + +severity: medium + +identifiers: + cce@rhel7: CCE-83963-9 + cce@rhel8: CCE-83964-7 + +references: + anssi: BP28(R58) + +ocil_clause: 'passwd_timeout is not set with the appropriate value for sudo' + +ocil: |- + To determine if passwd_timeout has been configured for sudo, run the following command: + 
$ sudo grep -ri '^Defaults.*passwd_timeout=sub_var_value("var_sudo_passwd_timeout")' /etc/sudoers /etc/sudoers.d/
+ The command should return a matching output. + +template: + name: sudo_defaults_option + vars: + option: passwd_timeout + variable_name: "var_sudo_passwd_timeout" diff --git a/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var new file mode 100644 index 00000000000..4a9dcd5bb7b --- /dev/null +++ b/linux_os/guide/system/software/sudo/var_sudo_passwd_timeout.var @@ -0,0 +1,21 @@ +documentation_complete: true + +title: 'Sudo - passwd_timeout value' + +description: |- + Defines the number of minutes before the sudo password prompt times out. + Defining 0 means no timeout. The default timeout value is 5 minutes. + +interactive: false + +type: string + +operator: equals + +options: + default: "5" + infinite: "0" + 1_minute: "1" + 2_minutes: "2" + 3_minutes: "3" + 5_minutes: "5" diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 61391f50c2d..e095e405f66 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -349,8 +349,6 @@ CCE-83959-7 CCE-83960-5 CCE-83961-3 CCE-83962-1 -CCE-83963-9 -CCE-83964-7 CCE-83965-4 CCE-83966-2 CCE-83967-0