Fix in sudo_require_reauthentication

[rumch-se]

Description:

• A small fix in OVAL for the rule sudo_require_reauthentication

Rationale:

• In the proposed version additional check is added if sudo package is installed or not. The installation of sudo package creates /etc/sudoers file which is a subject of audit, and the removal of sudo package removes /etc/sudoers file.

[openshift-ci]

Hi @rumch-se. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)

Fedora Testing Environment

Oracle Linux 8 Environment

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OVAL for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication' differs.
--- oval:ssg-sudo_require_reauthentication:def:1
+++ oval:ssg-sudo_require_reauthentication:def:1
@@ -1,2 +1,3 @@
-criteria None
+criteria AND
 criterion oval:ssg-test_sudo_timestamp_timeout:tst:1
+criterion oval:ssg-test_sudo_timestamp_timeout_no_signs:tst:1

bash remediation for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication' differs.
--- xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
+++ xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
@@ -1,4 +1,5 @@
-
+# Remediation is applicable only in certain platforms
+if rpm --quiet -q sudo; then
 
 var_sudo_timestamp_timeout=''
 
@@ -32,3 +33,7 @@
 echo "Skipping remediation, /etc/sudoers failed to validate"
 false
 fi
+
+else
+ >&2 echo 'Remediation is not applicable, nothing was done'
+fi

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication' differs.
--- xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
+++ xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
@@ -1,3 +1,16 @@
+- name: Gather the package facts
+ package_facts:
+ manager: auto
+ tags:
+ - CCE-87838-9
+ - DISA-STIG-RHEL-08-010384
+ - NIST-800-53-IA-11
+ - low_complexity
+ - low_disruption
+ - medium_severity
+ - no_reboot_needed
+ - restrict_strategy
+ - sudo_require_reauthentication
 - name: XCCDF Value var_sudo_timestamp_timeout # promote to variable
 set_fact:
 var_sudo_timestamp_timeout: !!str 
@@ -11,6 +24,7 @@
 patterns: '*'
 contains: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
 register: sudoers_d_defaults_timestamp_timeout
+ when: '"sudo" in ansible_facts.packages'
 tags:
 - CCE-87838-9
 - DISA-STIG-RHEL-08-010384
@@ -29,6 +43,7 @@
 regexp: ^[\s]*Defaults\s.*\btimestamp_timeout[\s]*=.*
 state: absent
 with_items: '{{ sudoers_d_defaults_timestamp_timeout.files }}'
+ when: '"sudo" in ansible_facts.packages'
 tags:
 - CCE-87838-9
 - DISA-STIG-RHEL-08-010384
@@ -48,6 +63,7 @@
 validate: /usr/sbin/visudo -cf %s
 backrefs: true
 register: edit_sudoers_timestamp_timeout_option
+ when: '"sudo" in ansible_facts.packages'
 tags:
 - CCE-87838-9
 - DISA-STIG-RHEL-08-010384
@@ -64,7 +80,9 @@
 path: /etc/sudoers
 line: Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}
 validate: /usr/sbin/visudo -cf %s
- when: edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
+ when:
+ - '"sudo" in ansible_facts.packages'
+ - edit_sudoers_timestamp_timeout_option is defined and not edit_sudoers_timestamp_timeout_option.changed
 tags:
 - CCE-87838-9
 - DISA-STIG-RHEL-08-010384

Platform has been changed for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'
--- xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
+++ xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
@@ -1 +1 @@
-
+cpe:/a:sudo:

[ggbecker]

another way to achieve the same goal is to use platforms instead. But I guess a CPE platform for sudo would need to be created.

[rumch-se]

Hello @ggbecker
Thank you for your feedback. I don't know how to create a CPE platform for sudo, but please take in mind that there are few rules which need similar check. I have started with this, and I am planning to make similar correction for others. For example some of the rules in the group /software/sudo/ do not check if the sudo package is installed and they directly jump to check some configuration parameter(s) in /etc/sudoers/ or /etc/sudoer.d/ for example - sudo_remove_no_authenticate, sudo_remove_no_password, sudo_require_authentication, sudo_vdsm_password.
Maybe there are more and this issue needs a general approach.
Have a nice day
Rumen

[ggbecker]

I think that a simple:

diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
index 0828312ba5..4a6d7d4dc9 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml
@@ -25,6 +25,8 @@ identifiers:
     cce@rhel9: CCE-83543-9
     cce@sle15: CCE-85673-2
 
+platform: package[sudo]
+
 references:
     cis-csc: 1,12,15,16,5
     cis@rhel8: 5.3.4

would do the trick. And this would ensure that the remediation also takes the platform in consideration for example.

As described in https://complianceascode.readthedocs.io/en/latest/manual/developer/06_contributing_with_content.html#rules

in the platform parameter.

[ggbecker]

We have a few examples of sudo platform being used:

linux_os/guide/system/software/sudo/sudo_restrict_privilege_elevation_to_authorized/rule.yml:
  55: platform: package[sudo]

linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml:
  41: platform: package[sudo]

linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml:
  41: platform: package[sudo]

linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml:
  42: platform: package[sudo]

[rumch-se]

Good morning @ggbecker
I have implemented the proposed change
Have a nice day
Rumen

[ggbecker]

Suggested change

	<ind:pattern operation="pattern match">^[\s]*Defaults[\s]*timestamp_timeout[\s]*=\s*[0-9]+$</ind:pattern>
	<ind:pattern operation="pattern match">^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[0-9]+$</ind:pattern>

I think that there should be at least a space between the Defaults and timestamp_timeout

[ggbecker]

 ERROR - Script multiple_conflicting_value.fail.sh using profile (all) found issue:
ERROR - Rule evaluation resulted in pass, instead of expected fail during initial stage 
ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.

This test scenario is failing. We should investigate why before proceeding.

[rumch-se]

Hello @ggbecker
I have corrected the both issues. I think that the test pass instead of fail because regex provides /etc/sudoers + . and .., i.e. the second row in OVAL is looking for string in /etc/sudoers (pass), but the second row is looking in . and .. instead of the files into /etc/sudoers.d/
Have a nice day.
Rumen

[ggbecker]

Suggested change

	<ind:filepath operation="pattern match">^\/etc\/(sudoers|sudoers\.d\/*)$</ind:filepath>
	<ind:filepath operation="pattern match">^\/etc\/(sudoers|sudoers\.d\/.*)$</ind:filepath>

[ggbecker]

It looks like it's missing the proper capture all element here

[rumch-se]

Hello @ggbecker
I have corrected again OVAL and executed all these tests - in each column is the value of timestamp_timeout.
I added an additional test which tests the existence of Defaults timestamp_timeout=+ or
Defaults timestamp_timeout=-
Like that I was able to isolate that the value after the equal sign is >=0

=== Test cases ===
Defaults timestamp_timeout

/etc/sudoers | /etc/sudoers.d/00-complianceascode-test.conf | test
1 | 3 | fail - ok
0 | 3 | fail - ok
3 | 3 | fail - ok
no_value | 3 | pass - ok
3 | | pass - ok
-3 | | fail - ok
0 | | pass - ok
+0 | | fail - ok
+3 | | fail - ok
++3 | | fail - ok
no_value | +3 | fail - ok
no_value | ++3 | fail - ok
no_value | 0 | pass - ok
no_value | +0 | fail - ok
no_value | -3 | fail - ok
0 | -1 | fail - ok
-1 | 0 | fail - ok
no value | no value | fail - ok

Have a nice day
Rumen

[ggbecker]

Hi @rumch-se I'm not seeing the new test you mention in the changes section. Maybe you forgot to add the new file in the commit.

[rumch-se]

Hello @ggbecker

There is no new test. I used the problematic test as a reference and changed values manually. Like that I wanted to be sure that the correction will cover all possible cases.

Have a nice day
Rumen

[ggbecker]

Hello @ggbecker

There is no new test. I used the problematic test as a reference and changed values manually. Like that I wanted to be sure that the correction will cover all possible cases.

Have a nice day Rumen

Understood. I think some of these scenarios are worthwhile to have a new automated test added. You can simply copy and paste existing files within tests/ folder of that rule to make sure that future changes to the rule will not change the intended behavior (the OVAL check will not regress). Please add new tests to cover some of the scenarios you described.

[rumch-se]

Hello @ggbecker
New tests were added
Have a nice day
Rumen

[ggbecker]

Hello @ggbecker New tests were added Have a nice day Rumen

Hi @rumch-se No tests were added in the changes. Maybe you now forgot to add them?

[rumch-se]

Hello @ggbecker
The tests ware added this time.
Have a nice day
Rumen

[codeclimate]

Code Climate has analyzed commit bd8ea99 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 51.7% (0.0% change).

View more on Code Climate.

[ggbecker]

Hello @ggbecker The tests ware added this time. Have a nice day Rumen

We have to take a look at the results and fix them if possible (maybe some package is missing or some specific directory is missing in the testing environment):

https://github.com/ComplianceAsCode/content/actions/runs/4261303411/jobs/7415506767

logs: https://github.com/ComplianceAsCode/content/suites/11180141093/artifacts/571245791

Run [[ -f logs_bash/test_suite.log ]] && echo "---------Bash Remediation Logs---------" && cat logs_bash/test_suite.log | grep -v "DEBUG - "
---------Bash Remediation Logs---------
INFO - xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
INFO - Script correct_value_1.pass.sh using profile (all) OK
INFO - Script correct_value_3.pass.sh using profile (all) OK
INFO - Script wrong_value_6.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage 
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script multiple_conflicting_value_4.fail.sh using profile (all) OK
INFO - Script wrong_value_4.fail.sh using profile (all) OK
INFO - Script multiple_conflicting_value.fail.sh using profile (all) OK
INFO - Script multiple_correct_value.fail.sh using profile (all) OK
INFO - Script correct_value_4.pass.sh using profile (all) OK
INFO - Script wrong_value_7.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage 
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.
INFO - Script missing_value_1.fail.sh using profile (all) OK
INFO - Script multiple_conflicting_value_3.fail.sh using profile (all) OK
INFO - Script missing_value.fail.sh using profile (all) OK
INFO - Script wrong_value_2.fail.sh using profile (all) OK
INFO - Script wrong_value_1.fail.sh using profile (all) OK
INFO - Script wrong_value_8.fail.sh using profile (all) OK
ERROR - Bash remediation for rule xccdf_org.ssgproject.content_rule_sudo_require_reauthentication has exited with these errors:
Warning: Permanently added '[localhost]:36637' (ECDSA) to the list of known hosts.
+ echo 'Remediating rule 1/1: '\''xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'\'''
Remediating rule 1/1: 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'
+ rpm --quiet -q sudo
+ var_sudo_timestamp_timeout=5
+ grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' '/etc/sudoers.d/*'
grep: /etc/sudoers.d/*: No such file or directory
+ /usr/sbin/visudo -qcf /etc/sudoers
+ echo 'Skipping remediation, /etc/sudoers failed to validate'
+ false

ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.
INFO - Script multiple_conflicting_value_1.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value_5.fail.sh using profile (all) OK
INFO - Script multiple_conflicting_value_2.fail.sh using profile (all) OK
INFO - Script multiple_equal_value.fail.sh using profile (all) OK
INFO - Script correct_value_2.pass.sh using profile (all) OK
INFO - Script wrong_value_3.fail.sh using profile (all) OK
INFO - Script correct_value_with_spaces.pass.sh using profile (all) OK
---------Ansible Remediation Logs---------
INFO - xccdf_org.ssgproject.content_rule_sudo_require_reauthentication
INFO - Script correct_value_1.pass.sh using profile (all) OK
INFO - Script correct_value_3.pass.sh using profile (all) OK
INFO - Script wrong_value_6.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage 
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.
INFO - Script wrong_value.fail.sh using profile (all) OK
INFO - Script multiple_conflicting_value_4.fail.sh using profile (all) OK
INFO - Script wrong_value_4.fail.sh using profile (all) OK
INFO - Script multiple_conflicting_value.fail.sh using profile (all) OK
INFO - Script multiple_correct_value.fail.sh using profile (all) OK
INFO - Script correct_value_4.pass.sh using profile (all) OK
INFO - Script wrong_value_7.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage 
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.
INFO - Script missing_value_1.fail.sh using profile (all) OK
INFO - Script multiple_conflicting_value_3.fail.sh using profile (all) OK
INFO - Script missing_value.fail.sh using profile (all) OK
INFO - Script wrong_value_2.fail.sh using profile (all) OK
INFO - Script wrong_value_1.fail.sh using profile (all) OK
INFO - Script wrong_value_8.fail.sh using profile (all) OK
ERROR - Ansible playbook remediation run has exited with return code 2 instead of expected 0
ERROR - The remediation failed for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.
INFO - Script multiple_conflicting_value_1.fail.sh using profile (all) OK
INFO - Script correct_value.pass.sh using profile (all) OK
INFO - Script wrong_value_5.fail.sh using profile (all) OK
INFO - Script multiple_conflicting_value_2.fail.sh using profile (all) OK
INFO - Script multiple_equal_value.fail.sh using profile (all) OK
INFO - Script correct_value_2.pass.sh using profile (all) OK
INFO - Script wrong_value_3.fail.sh using profile (all) OK
INFO - Script correct_value_with_spaces.pass.sh using profile (all) OK
Error: Process completed with exit code 1.

[ggbecker]

@rumch-se whenever you have time can you look at my comment above.

[rumch-se]

Hello @ggbecker

I need some clarification here.
We have few times
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_sudo_require_reauthentication'.
May I think that the remediation part is not working? I have this question, because I tested only OVAL part with my new tests to see the status - pass or fail. I did not test/touch remediation part. I can see for example that bash/ansible remediation were created by you and Federico Ramirez.
In my new tests, in general, I re-used the approach from the existing tests by creating or modifying content of /etc/sudoers or in a file located in /etc/sudoers.d. For example with the test wrong_value_6.fail.sh I add timestamp_timeout=+0 in /etc/sudoers and I remove
timestamp_timeout from the /etc/sudoers.d/00-complianceascode-test.conf when we have such a file.
In this particular case the wrong value is +0
We have similar issue with wrong_value_7.fail.sh - where the wrong value is +3
We have similar issue with wrong_value_8.fail.sh - where the wrong value is ++3

Would be possible you to execute locally in the following order some of problematic test(s)

• run audit - shows pass
• run problematic test
• run audit - shows fail
• run remediation - bash/or ansible
• run audit - must show pass

My last commit adds the test wrong_value_2.fail.sh

Have a nice day
Rumen

[ggbecker]

I've identified that having +/- signs does not generate a parsing problem for the following command

visudo -cf /etc/sudoers

which is the precondition for the remediation to be run:

content/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh

Line 14 in 40fa43c

if /usr/sbin/visudo -qcf /etc/sudoers; then

I didn't dig deeper in the ansible remediation, but it seems that having one sign is ok, but having two or more is a problem for the sudoers file parsing.

What is the reason behind blocking usage of one sign in the value from the OVAL perspective?

[rumch-se]

Hello @ggbecker,

When I worked on the OVAL, I decided to focus on cases when we have a value which is a Whole number i.e. according math definition we have:
Natural Numbers (N), (also called positive integers, counting numbers, or natural numbers); They are the numbers {1, 2, 3, 4, 5, …}
Whole Numbers (W). This is the set of natural numbers, plus zero, i.e., {0, 1, 2, 3, 4, 5, …}.
source: https://arbs.nzcer.org.nz/types-numbers
because of this concept any type value which is +0, -0, +1, -1, etc. is invalid. I designed my tests to covers these cases and cases when we have more than one sign.

Have a nice day
Rumen

[ggbecker]

Hello @ggbecker,

When I worked on the OVAL, I decided to focus on cases when we have a value which is a Whole number i.e. according math definition we have: Natural Numbers (N), (also called positive integers, counting numbers, or natural numbers); They are the numbers {1, 2, 3, 4, 5, …} Whole Numbers (W). This is the set of natural numbers, plus zero, i.e., {0, 1, 2, 3, 4, 5, …}. source: https://arbs.nzcer.org.nz/types-numbers because of this concept any type value which is +0, -0, +1, -1, etc. is invalid. I designed my tests to covers these cases and cases when we have more than one sign.

Have a nice day Rumen

I understand that this reference you mention doesn't accept some of the values, but the parsing of the sudoers file seems to be a different and they accept those values as valid.

We should align with what the software accepts in this case unfortunately, otherwise valid configurations will be interpreted as invalid.

Additionally, the remediation probably needs to be reworked to be smarter when there is an invalid value set, maybe it should try to remediate and then run the validation again having a backup file that will revert in case the validation (visudo -c) fails again.

[rumch-se]

Hello @ggbecker
I did an additional research about timestamp_timeout and I found that
timestamp_timeout
Number of minutes that can elapse before sudo will ask for a passwd again. The timeout may include a fractional component if minute granularity is insufficient, for example 2.5. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's time stamp will never expire. This can be used to allow users to create or delete their own time stamps via ''sudo -v'' and ''sudo -k'' respectively.
source: https://linux.die.net/man/5/sudoers
Because of that I changed the regexp in the OVAL.
According to the test case developed by you wrong_value.fail.sh we should not have negative numbers as valued for timestamp_timeout.

After this change +0 / +1 / +2.5 / 2.5 are valid settings.

Have a nice day
Rumen

[ggbecker]

The test scenario called wrong_value_4.fail.sh is problematic as it puts ++ double sign and this invalidates the sudoers file. I believe we can simply remove it from the PR. It's not part of the remediation to fix syntax issues in the sudoers file.

[rumch-se]

Hello @ggbecker
Two tests were removed (those with ++ sign)
Have a nice day
Rumen