Skip to content

Commit

Permalink
Add bash remediation for sudo_remove_nopasswd.
Browse files Browse the repository at this point in the history
  • Loading branch information
@ggbecker
ggbecker committed Sep 7, 2020
1 parent 117d05c commit 9fb91ad
Showing 1 changed file with 17 additions and 0 deletions.
17 changes: 17 additions & 0 deletions linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# platform = multi_platform_all
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low

for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
if ! test -z "$nopasswd_list"; then
while IFS= read -r nopasswd_entry; do
# comment out "NOPASSWD:" matches to preserve user data
sed -i "s/^${nopasswd_entry}$/# &/g" $f
done <<< "$nopasswd_list"

/usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
fi
done

0 comments on commit 9fb91ad

Please sign in to comment.