| 12
 3
 4
 5
 6
 7
 8
 9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 
 | documentation_complete: true
title: 'Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC'
description: |-
    The sudo <tt>NOEXEC</tt> tag, when specified, prevents user executed
    commands from executing other commands, like a shell for example.
    This should be enabled by making sure that the <tt>NOEXEC</tt> tag exists in
    <tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
    in <tt>/etc/sudoers.d/</tt>.
rationale: |-
    Restricting the capability of sudo allowed commands to execute sub-commands
    prevents users from running programs with privileges they wouldn't have otherwise.
severity: high
identifiers:
    cce@rhel8: CCE-83747-6
    cce@rhel9: CCE-83537-1
    cce@rhel10: CCE-89119-2
    cce@sle12: CCE-91494-5
    cce@sle15: CCE-91186-7
ocil_clause: 'noexec is not enabled in sudo'
ocil: |-
    To determine if <tt>NOEXEC</tt> has been configured for sudo, run the following command:
    <pre>$ sudo grep -ri "^[\s]*Defaults.*\bnoexec\b.*" /etc/sudoers /etc/sudoers.d/</pre>
    The command should return a matching output.
template:
    name: sudo_defaults_option
    vars:
        option: noexec
 |