Fix sudo_require_reauthentication remediations edge case #11279
Conversation
Both ansible and bash had an issue in the case that /etc/sudoers contain conflicting entries. In the case that there is one correct entry and a wrong one afterwards, the remediation wouldn't be applied Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
Cover the case when etc/sudoers contain conflicting entries Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
|
Hi @Xeicker. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffbash remediation for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication' differs.
--- xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
+++ xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
@@ -14,9 +14,8 @@
# sudoers file doesn't define Option timestamp_timeout
echo "Defaults timestamp_timeout=${var_sudo_timestamp_timeout}" >> /etc/sudoers
else
- # sudoers file defines Option timestamp_timeout, remediate if appropriate value is not set
- if ! grep -P "^[\s]*Defaults.*timestamp_timeout[\s]*=[\s]*${var_sudo_timestamp_timeout}.*$" /etc/sudoers; then
-
+ # sudoers file defines Option timestamp_timeout, remediate wrong values if present
+ if grep -qP "^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=[\s]*(?!${var_sudo_timestamp_timeout}\b)[-]?\w+\b.*$" /etc/sudoers; then
sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
fi
fi
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication' differs.
--- xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
+++ xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
@@ -18,9 +18,9 @@
tags:
- always
-- name: Find out if /etc/sudoers.d/* files contain 'Defaults timestamp_timeout' to
- be deduplicated
- find:
+- name: Require Re-Authentication When Using the sudo Command - Find /etc/sudoers.d/*
+ files containing 'Defaults timestamp_timeout'
+ ansible.builtin.find:
path: /etc/sudoers.d
patterns: '*'
contains: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
@@ -38,9 +38,9 @@
- restrict_strategy
- sudo_require_reauthentication
-- name: Remove found occurrences of 'Defaults timestamp_timeout' from /etc/sudoers.d/*
- files
- lineinfile:
+- name: Require Re-Authentication When Using the sudo Command - Remove 'Defaults timestamp_timeout'
+ from /etc/sudoers.d/* files
+ ansible.builtin.lineinfile:
path: '{{ item.path }}'
regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
state: absent
@@ -58,8 +58,9 @@
- restrict_strategy
- sudo_require_reauthentication
-- name: Ensure timestamp_timeout is enabled with the appropriate value in /etc/sudoers
- lineinfile:
+- name: Require Re-Authentication When Using the sudo Command - Ensure timestamp_timeout
+ has the appropriate value in /etc/sudoers
+ ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults\s(.*)\btimestamp_timeout[\s]*=[\s]*[-]?\w+\b(.*)$
line: Defaults \1timestamp_timeout={{ var_sudo_timestamp_timeout }}\2
@@ -79,14 +80,16 @@
- restrict_strategy
- sudo_require_reauthentication
-- name: Enable timestamp_timeout option with appropriate value in /etc/sudoers
- lineinfile:
+- name: Require Re-Authentication When Using the sudo Command - Enable timestamp_timeout
+ option with correct value in /etc/sudoers
+ ansible.builtin.lineinfile:
path: /etc/sudoers
line: Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}
validate: /usr/sbin/visudo -cf %s
when:
- '"sudo" in ansible_facts.packages'
- - edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
+ - |
+ edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
tags:
- CCE-87838-9
- DISA-STIG-RHEL-08-010384
@@ -98,3 +101,24 @@
- no_reboot_needed
- restrict_strategy
- sudo_require_reauthentication
+
+- name: Require Re-Authentication When Using the sudo Command - Remove timestamp_timeout
+ wrong values in /etc/sudoers
+ ansible.builtin.lineinfile:
+ path: /etc/sudoers
+ regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=[\s]*(?!{{ var_sudo_timestamp_timeout
+ }}\b)[-]?\w+\b.*$
+ state: absent
+ validate: /usr/sbin/visudo -cf %s
+ when: '"sudo" in ansible_facts.packages'
+ tags:
+ - CCE-87838-9
+ - DISA-STIG-RHEL-08-010384
+ - NIST-800-53-IA-11
+ - PCI-DSSv4-2.2.6
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_require_reauthentication |
|
/ok-to-test |
openshift-ci
bot
added
ok-to-test
There was a problem hiding this comment.
Hello @Xeicker and thank you for this update. It is fine.
Could you just please reformat the Ansible remediation according to these rules?
https://complianceascode.readthedocs.io/en/latest/manual/developer/04_style_guide.html#ansible
Thank you.
This affects ansible, to align it with style guide Signed-off-by: Edgar Aguilar <edgar.aguilar@oracle.com>
|
Code Climate has analyzed commit f002fdf and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 58.8%. View more on Code Climate. |
Description:
sudo_require_reauthenticationto ensure no conflicting configurations are present in /etc/sudoers directlyRationale:
Review Hints: