Create bash and ansible macro for sudo related rules.

linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/ansible/shared.yml

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_sudo_remove_config("!authenticate", "!authenticate") }}}

linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/bash/shared.sh

@@ -0,0 +1,7 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_sudo_remove_config("!authenticate", "!authenticate") }}}

linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/correct_value.pass.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+rm -f /etc/sudoers
+echo "Defaults authenticate" > /etc/sudoers
+chmod 440 /etc/sudoers

linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/tests/wrong_value.fail.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_stig
+
+echo "Defaults !authenticate" >> /etc/sudoers
+chmod 440 /etc/sudoers
+
+mkdir /etc/sudoers.d/
+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
+chmod 440 /etc/sudoers.d/sudoers

linux_os/guide/system/software/sudo/sudo_remove_nopasswd/ansible/shared.yml

@@ -4,18 +4,4 @@
 # complexity = low
 # disruption = low
 
-- name: Find /etc/sudoers.d/ files
-  find:
-    paths:
-      - /etc/sudoers.d/
-  register: sudoers
-
-- name: "Remove lines containing NOPASSWD from sudoers files"
-  replace:
-    regexp: '(^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)'
-    replace: '# \g<1>'
-    path: "{{ item.path }}"
-    validate: /usr/sbin/visudo -cf %s
-  with_items:
-    - { path: /etc/sudoers }
-    - "{{ sudoers.files }}"
+{{{ ansible_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}

linux_os/guide/system/software/sudo/sudo_remove_nopasswd/bash/shared.sh

@@ -4,14 +4,4 @@
 # complexity = low
 # disruption = low
 
-for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
-  nopasswd_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
-  if ! test -z "$nopasswd_list"; then 
-    while IFS= read -r nopasswd_entry; do
-      # comment out "NOPASSWD:" matches to preserve user data
-      sed -i "s/^${nopasswd_entry}$/# &/g" $f
-    done <<< "$nopasswd_list"
-
-    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
-  fi
-done
+{{{ bash_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}

linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml

@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
+
+{{{ ansible_sudo_remove_config("!authenticate", "!authenticate") }}}

linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh

@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ bash_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
+
+{{{ bash_sudo_remove_config("!authenticate", "!authenticate") }}}

linux_os/guide/system/software/sudo/sudo_require_authentication/tests/correct_value.pass.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_e8
+
+rm -f /etc/sudoers
+echo "%wheel	ALL=(ALL)	ALL" > /etc/sudoers
+echo "Defaults authenticate" > /etc/sudoers
+chmod 440 /etc/sudoers

linux_os/guide/system/software/sudo/sudo_require_authentication/tests/wrong_value.fail.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_e8
+
+echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
+echo "Defaults !authenticate" >> /etc/sudoers
+chmod 440 /etc/sudoers
+
+mkdir /etc/sudoers.d/
+echo "%wheel        ALL=(ALL)       !authenticate ALL" >> /etc/sudoers.d/sudoers
+echo "Defaults !authenticate" >> /etc/sudoers.d/sudoers
+chmod 440 /etc/sudoers.d/sudoers

shared/macros-ansible.jinja

@@ -559,3 +559,22 @@ See official documentation: https://jinja.palletsprojects.com/en/2.11.x/template
     create: yes
     mode: 0644
 {{%- endmacro %}}
+
+{{%- macro ansible_sudo_remove_config(parameter, pattern) -%}}
+
+- name: Find /etc/sudoers.d/ files
+  find:
+    paths:
+      - /etc/sudoers.d/
+  register: sudoers
+
+- name: "Remove lines containing {{{ parameter }}} from sudoers files"
+  replace:
+    regexp: '(^(?!#).*[\s]+\{{{ pattern }}}.*$)'
+    replace: '# \g<1>'
+    path: "{{ item.path }}"
+    validate: /usr/sbin/visudo -cf %s
+  with_items:
+    - { path: /etc/sudoers }
+    - "{{ sudoers.files }}"
+{{%- endmacro -%}}

shared/macros-bash.jinja

@@ -599,4 +599,19 @@ else
         echo "Config file directory '{{{ config_dir }}}' doesnt exist, not remediating, assuming non-applicability." >&2
     fi
 fi
+
 {{%- endmacro %}}
+
+{{%- macro bash_sudo_remove_config(parameter, pattern) -%}}
+for f in $( ls /etc/sudoers /etc/sudoers.d/* 2> /dev/null ) ; do
+  matching_list=$(grep -P '^(?!#).*[\s]+\{{{ pattern }}}.*$' $f | uniq )
+  if ! test -z "$matching_list"; then
+    while IFS= read -r entry; do
+      # comment out "{{{ parameter }}}" matches to preserve user data
+      sed -i "s/^${entry}$/# &/g" $f
+    done <<< "$matching_list"
+
+    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
+  fi
+done
+{{%- endmacro -%}}