Merge pull request #6049 from ggbecker/update-stig-RHEL-07-010340

Add bash and ansible remediation for sudo_remove_nopasswd and sudo_remove_no_authenticate

linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/ansible/shared.yml

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_sudo_remove_config("!authenticate", "!authenticate") }}}

linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/bash/shared.sh

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_sudo_remove_config("!authenticate", "!authenticate") }}}

linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+rm -f /etc/sudoers
+echo "Defaults authenticate" > /etc/sudoers
+chmod 440 /etc/sudoers

linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+echo "Defaults !authenticate" >> /etc/sudoers
+chmod 440 /etc/sudoers
+
+mkdir /etc/sudoers.d/
+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
+chmod 440 /etc/sudoers.d/sudoers

linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}

linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}

linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/correct_value.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+rm -f /etc/sudoers
+echo "%wheel	ALL=(ALL)	ALL" > /etc/sudoers
+chmod 440 /etc/sudoers

linux_os/guide/system/software/sudo/sudo_remove_nopasswd/tests/wrong_value.fail.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
+chmod 440 /etc/sudoers
+
+mkdir /etc/sudoers.d/
+echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers.d/sudoers
+chmod 440 /etc/sudoers.d/sudoers

linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml

@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
+
+{{{ ansible_sudo_remove_config("!authenticate", "!authenticate") }}}

linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh

@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
+
+{{{ bash_sudo_remove_config("!authenticate", "!authenticate") }}}

linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_e8
+
+rm -f /etc/sudoers
+echo "%wheel	ALL=(ALL)	ALL" > /etc/sudoers
+echo "Defaults authenticate" > /etc/sudoers
+chmod 440 /etc/sudoers

linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_e8
+
+echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
+echo "Defaults !authenticate" >> /etc/sudoers
+chmod 440 /etc/sudoers
+
+mkdir /etc/sudoers.d/
+echo "%wheel        ALL=(ALL)       !authenticate ALL" >> /etc/sudoers.d/sudoers
+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
+chmod 440 /etc/sudoers.d/sudoers

shared/macros-ansible.jinja

@@ -559,3 +559,22 @@ See official documentation: https://jinja.palletsprojects.com/en/2.11.x/template
     create: yes
     mode: 0644
 {{%- endmacro %}}
+
+{{%- macro ansible_sudo_remove_config(parameter, pattern) -%}}
+
+- name: Find /etc/sudoers.d/ files
+  find:
+    paths:
+      - /etc/sudoers.d/
+  register: sudoers
+
+- name: "Remove lines containing {{{ parameter }}} from sudoers files"
+  replace:
+    regexp: '(^(?!#).*[\s]+\{{{ pattern }}}.*$)'
+    replace: '# \g<1>'
+    path: "{{ item.path }}"
+    validate: /usr/sbin/visudo -cf %s
+  with_items:
+    - { path: /etc/sudoers }
+    - "{{ sudoers.files }}"
+{{%- endmacro -%}}

shared/macros-bash.jinja

@@ -600,3 +600,17 @@ else
     fi
 fi
 {{%- endmacro %}}
+
+{{%- macro bash_sudo_remove_config(parameter, pattern) -%}}
+for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
+  matching_list=$(grep -P '^(?!#).*[\s]+\{{{ pattern }}}.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "{{{ parameter }}}" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+{{%- endmacro -%}}