Fix in sudo_require_reauthentication

linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml

@@ -1,25 +1,31 @@
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{ oval_metadata("'Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout") }}}
-    <criteria comment="The timestamp_timeout should be configured" >
+    <criteria comment="The timestamp_timeout should be configured" operator="AND">
       <criterion comment="check configuration in /etc/sudoers" test_ref="test_sudo_timestamp_timeout" />
+      <criterion comment="check for - sign in configuration" test_ref="test_sudo_timestamp_timeout_no_signs" />
     </criteria>
   </definition>
 
+  <!-- Define 1st test for sudo timestamp. -->
   <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout" version="1">
     <ind:object object_ref="obj_sudo_timestamp_timeout"/>
-    <ind:state state_ref="state_sudo_timestamp_timeout" />
+  </ind:textfilecontent54_test>
+
+  <!-- Define 2nd test for sudo timestamp. -->
+  <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check correct configuration in /etc/sudoers" id="test_sudo_timestamp_timeout_no_signs" version="1">
+    <ind:object object_ref="obj_sudo_timestamp_timeout_no_signs"/>
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="obj_sudo_timestamp_timeout" version="1">
-    <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
-    <ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout[\s]*=[\s]*([-]?[\d]+)$</ind:pattern>
-    <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    <ind:filepath operation="pattern match">^\/etc\/(sudoers|sudoers\.d\/.*)$</ind:filepath>  
+    <ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[+]?(\d*\.\d+|\d+\.\d*|\d+)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
-  <ind:textfilecontent54_state id="state_sudo_timestamp_timeout"
-  version="1">
-    <ind:subexpression datatype="int" operation="greater than or equal">0</ind:subexpression>
-  </ind:textfilecontent54_state>
-
+   <ind:textfilecontent54_object id="obj_sudo_timestamp_timeout_no_signs" version="1">
+    <ind:filepath operation="pattern match">^\/etc\/(sudoers|sudoers\.d\/.*)$</ind:filepath>  
+    <ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[\-](\d*\.\d+|\d+\.\d*|\d+)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object> 
 </def-group>

linux_os/guide/system/software/sudo/sudo_require_reauthentication/rule.yml

@@ -64,3 +64,5 @@ fixtext: |-
     Remove any duplicate or conflicting lines from /etc/sudoers and /etc/sudoers.d/ files.
 
 srg_requirement: '{{{ full_name }}} must require re-authentication when using the "sudo" command.'
+
+platform: package[sudo]

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_1.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Remove Defaults timestamp_timeout from sudoers
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
+fi
+
+# Set Defaults timestamp_timeout in /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers.d/00-complianceascode-test.conf
+else
+	echo "Defaults timestamp_timeout=3" >> /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_2.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Set Defaults timestamp_timeout in /etc/sudoers 
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout=3" >> /etc/sudoers
+fi
+
+# Remove Defaults timestamp_timeout from /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_3.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Set Defaults timestamp_timeout in /etc/sudoers 
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=0/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout=0" >> /etc/sudoers
+fi
+
+# Remove Defaults timestamp_timeout from /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_4.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Remove Defaults timestamp_timeout from sudoers
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
+fi
+
+# Set Defaults timestamp_timeout in /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=0/' /etc/sudoers.d/00-complianceascode-test.conf
+else
+	echo "Defaults timestamp_timeout=0" >> /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_5.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Set Defaults timestamp_timeout in /etc/sudoers 
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=+0/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout=+0" >> /etc/sudoers
+fi
+
+# Remove Defaults timestamp_timeout from /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_6.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Set Defaults timestamp_timeout in /etc/sudoers 
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=+3/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout=+3" >> /etc/sudoers
+fi
+
+# Remove Defaults timestamp_timeout from /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_7.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Remove Defaults timestamp_timeout from sudoers
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
+fi
+
+# Set Defaults timestamp_timeout in /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=+3/' /etc/sudoers.d/00-complianceascode-test.conf
+else
+	echo "Defaults timestamp_timeout=+3" >> /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_8.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Remove Defaults timestamp_timeout from sudoers
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
+fi
+
+# Set Defaults timestamp_timeout in /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=+0/' /etc/sudoers.d/00-complianceascode-test.conf
+else
+	echo "Defaults timestamp_timeout=+0" >> /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_with_spaces_1.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Set Defaults timestamp_timeout in /etc/sudoers 
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout = +2.5/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout = +2.5" >> /etc/sudoers
+fi
+
+# Remove Defaults timestamp_timeout from /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_with_spaces_2.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Remove Defaults timestamp_timeout from sudoers
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
+fi
+
+# Set Defaults timestamp_timeout in /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout = +2.5/' /etc/sudoers.d/00-complianceascode-test.conf
+else
+	echo "Defaults timestamp_timeout = +2.5" >> /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/missing_value.fail.sh

@@ -4,4 +4,3 @@
 if grep -q 'timestamp_timeout' /etc/sudoers; then
 	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
 fi
-

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/missing_value_1.fail.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# packages = sudo
+
+# Remove Defaults timestamp_timeout from /etc/sudoers
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
+fi
+
+# Remove Defaults timestamp_timeout from /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_conflicting_value.fail.sh

@@ -2,9 +2,9 @@
 # packages = sudo
 
 if grep -q 'timestamp_timeout' /etc/sudoers; then
-	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=-1/' /etc/sudoers
 else
-	echo "Defaults timestamp_timeout=-1" >> /etc/sudoers
+	echo "Defaults timestamp_timeout=-1" >> /etc/sudoers 
 fi
 
 echo "Defaults timestamp_timeout=3" > /etc/sudoers.d/00-complianceascode-test.conf

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_conflicting_value_1.fail.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = sudo
+
+# Set Defaults timestamp_timeout in /etc/sudoers 
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=0/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout=0" >> /etc/sudoers
+fi
+
+# Set Defaults timestamp_timeout in /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=-1/' /etc/sudoers.d/00-complianceascode-test.conf
+else
+	echo "Defaults timestamp_timeout=-1" >> /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_conflicting_value_2.fail.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = sudo
+
+# Set Defaults timestamp_timeout in /etc/sudoers 
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=-1/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout=-1" >> /etc/sudoers
+fi
+
+# Set Defaults timestamp_timeout in /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=0/' /etc/sudoers.d/00-complianceascode-test.conf
+else
+	echo "Defaults timestamp_timeout=0" >> /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_conflicting_value_3.fail.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = sudo
+
+# Set Defaults timestamp_timeout in /etc/sudoers 
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=1/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout=1" >> /etc/sudoers
+fi
+
+# Set Defaults timestamp_timeout in /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers.d/00-complianceascode-test.conf
+else
+	echo "Defaults timestamp_timeout=3" >> /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_conflicting_value_4.fail.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = sudo
+
+# Set Defaults timestamp_timeout in /etc/sudoers 
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=0/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout=0" >> /etc/sudoers
+fi
+
+# Set Defaults timestamp_timeout in /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers.d/00-complianceascode-test.conf
+else
+	echo "Defaults timestamp_timeout=3" >> /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/multiple_equal_value.fail.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+# packages = sudo
+
+# Set Defaults timestamp_timeout in /etc/sudoers 
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout=3" >> /etc/sudoers
+fi
+
+# Set Defaults timestamp_timeout in /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=3/' /etc/sudoers.d/00-complianceascode-test.conf
+else
+	echo "Defaults timestamp_timeout=3" >> /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/wrong_value_1.fail.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Remove Defaults timestamp_timeout from sudoers
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
+fi
+
+# Set Defaults timestamp_timeout in /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=-3/' /etc/sudoers.d/00-complianceascode-test.conf
+else
+	echo "Defaults timestamp_timeout=-3" >> /etc/sudoers.d/00-complianceascode-test.conf
+fi

linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/wrong_value_2.fail.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# packages = sudo
+
+# Set Defaults timestamp_timeout in /etc/sudoers 
+if grep -q 'timestamp_timeout' /etc/sudoers; then
+	sed -i 's/.*timestamp_timeout.*/Defaults timestamp_timeout=-3/' /etc/sudoers
+else
+	echo "Defaults timestamp_timeout=-3" >> /etc/sudoers
+fi
+
+# Remove Defaults timestamp_timeout from /etc/sudoers.d/00-complianceascode-test.conf
+if grep -q 'timestamp_timeout' /etc/sudoers.d/00-complianceascode-test.conf; then
+	sed -i '/.*timestamp_timeout.*/d' /etc/sudoers.d/00-complianceascode-test.conf
+fi