[Enhancement][RHEL/7] Add initial sudoers content

- Add initial sudo content to check for NOPASSWD and !authenticate in sudoers
  for RHEL7 STIG
- Fixes #1015

RHEL/7/input/guide.xslt

@@ -77,6 +77,7 @@
       <xsl:apply-templates select="document('xccdf/system/software/updating.xml')" />
       <xsl:apply-templates select="document('xccdf/system/software/integrity.xml')" />
       <xsl:apply-templates select="document('xccdf/system/software/gnome.xml')" />
+      <xsl:apply-templates select="document('xccdf/system/software/sudo.xml')" />
     </xsl:copy>
   </xsl:template>
 

RHEL/7/input/oval/sudo_remove_no_authenticate.xml

@@ -0,0 +1,36 @@
+<def-group>
+  <definition class="compliance" id="sudo_remove_no_authenticate" version="1">
+    <metadata>
+      <title>Remove !authenticate Usage From Sudo</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>Checks interactive shell timeout</description>
+      <reference source="galford" ref_id="20160606" ref_url="test_attestation" />
+    </metadata>
+    <criteria operator="AND">
+      <criterion comment="!authenticate does not exist in /etc/sudoers" test_ref="test_no_authenticate_etc_sudoers" />
+      <criterion comment="!authenticate does not exist in /etc/sudoers.d" test_ref="test_no_authenticate_etc_sudoers_d" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="!authenticate does not exist in /etc/sudoers" id="test_no_authenticate_etc_sudoers" version="1">
+    <ind:object object_ref="object_no_authenticate_etc_sudoers" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_no_authenticate_etc_sudoers" version="1">
+    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:pattern operation="pattern match">^(?!#).*[\s]+\!authenticate.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="!authenticate does not exist in /etc/sudoers.d" id="test_no_authenticate_etc_sudoers_d" version="1">
+    <ind:object object_ref="object_no_authenticate_etc_sudoers_d" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_no_authenticate_etc_sudoers_d" version="1">
+    <ind:path>/etc/sudoers.d</ind:path>
+    <ind:filename operation="pattern match">^.*$</ind:filename>
+    <ind:pattern operation="pattern match">^(?!#).*[\s]+\!authenticate.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>

RHEL/7/input/oval/sudo_remove_nopasswd.xml

@@ -0,0 +1,36 @@
+<def-group>
+  <definition class="compliance" id="sudo_remove_nopasswd" version="1">
+    <metadata>
+      <title>Remove nopasswd Usage From Sudo</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>Checks interactive shell timeout</description>
+      <reference source="galford" ref_id="20160606" ref_url="test_attestation" />
+    </metadata>
+    <criteria operator="AND">
+      <criterion comment="NOPASSWD is not configured in /etc/sudoers" test_ref="test_nopasswd_etc_sudoers" />
+      <criterion comment="NOPASSWD is not configured in /etc/sudoers.d" test_ref="test_nopasswd_etc_sudoers_d" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="NOPASSWD does not exist /etc/sudoers" id="test_nopasswd_etc_sudoers" version="1">
+    <ind:object object_ref="object_nopasswd_etc_sudoers" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_nopasswd_etc_sudoers" version="1">
+    <ind:filepath>/etc/sudoers</ind:filepath>
+    <ind:pattern operation="pattern match">^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="NOPASSWD does not exist in /etc/sudoers.d" id="test_nopasswd_etc_sudoers_d" version="1">
+    <ind:object object_ref="object_nopasswd_etc_sudoers_d" />
+  </ind:textfilecontent54_test>
+  <ind:textfilecontent54_object id="object_nopasswd_etc_sudoers_d" version="1">
+    <ind:path>/etc/sudoers.d</ind:path>
+    <ind:filename operation="pattern match">^.*$</ind:filename>
+    <ind:pattern operation="pattern match">^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>

RHEL/7/input/xccdf/system/software/sudo.xml

@@ -0,0 +1,65 @@
+<Group id="sudo">
+<title>Sudo</title>
+<description>
+<tt>Sudo</tt>, which stands for "su 'do'", provides the ability to delegate authority
+to certain users, groups of users, or system administrators. When configured for system 
+users and/or groups, <tt>Sudo</tt> can allow a user or group to execute privileged commands
+that normally only <tt>root</tt> is allowed to execute.
+<br/><br/>
+For more information on <tt>Sudo</tt> and addition <tt>Sudo</tt> configuration options, see
+<b>https://www.sudo.ws</b>
+</description>
+
+<Rule id="sudo_remove_nopasswd" severity="medium">
+<title>Remove nopasswd Usage From Sudo</title>
+<description>
+The sudo <tt>NOPASSWD</tt> tag, when specified, allows a user to execute commands using
+sudo without having to authenticate. This should be disabled by making sure that the
+<tt>NOPASSWD</tt> tag does not exist in <tt>/etc/sudoers</tt> configuration file or 
+any sudo configuration snippets in <tt>/etc/sudoers.d</tt>.
+</description>
+<ocil clause="nopasswd is enabled in sudo">
+To determine if <tt>NOPASSWD</tt> has been configured for sudo, run the following command:
+<pre>$ sudo grep NOPASSWD /etc/sudoers /etc/sudoers.d/</pre>
+The command should return no output.
+</ocil>
+<rationale>
+Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+<br /><br />
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
+</rationale>
+<ident cce="RHEL7-CCE-TBD" />
+<oval id="sudo_remove_nopasswd" />
+<ref nist="IA-11" disa="2038" stigid="01038"
+ossrg="SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158"/>
+</Rule>
+
+<Rule id="sudo_remove_no_authenticate" severity="medium">
+<title>Remove !authenticate Usage From Sudo</title>
+<description>
+The sudo <tt>!authenticate</tt> option, when specified, allows a user to execute commands using
+sudo without having to authenticate. This should be disabled by making sure that the
+<tt>!authenticate</tt> option does not exist in <tt>/etc/sudoers</tt> configuration file or
+any sudo configuration snippets in <tt>/etc/sudoers.d</tt>.
+</description>
+<ocil clause="!authenticate is enabled in sudo">
+To determine if <tt>!authenticate</tt> has not been configured for sudo, run the following command:
+<pre>$ sudo grep \!authenticate /etc/sudoers /etc/sudoers.d/</pre>
+The command should return no output.
+</ocil>
+<rationale>
+Without re-authentication, users may access resources or perform tasks for which they
+do not have authorization.
+<br /><br />
+When operating systems provide the capability to escalate a functional capability, it
+is critical that the user re-authenticate.
+</rationale>
+<ident cce="RHEL7-CCE-TBD" />
+<oval id="sudo_remove_no_authenticate" />
+<ref nist="IA-11" disa="2038" stigid=""
+ossrg="SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158"/>
+</Rule>
+
+</Group>