1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
documentation_complete: true
title: 'Ensure sudo Runs In A Minimal Environment - sudo env_reset'
description: |-
The sudo <tt>env_reset</tt> tag, when specified, will run the command in a minimal environment,
containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables.
{{%- if 'rhel' in product or 'ol' in families %}}
On {{{ full_name }}}, <tt>env_reset</tt> is enabled by default
{{%- endif %}}
This should be enabled by making sure that the <tt>env_reset</tt> tag exists in
<tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
in <tt>/etc/sudoers.d/</tt>.
rationale: |-
Forcing sudo to reset the environment ensures that environment variables are not passed on to the
command accidentaly, preventing leak of potentially sensitive information.
severity: medium
identifiers:
cce@rhel8: CCE-83820-1
cce@rhel10: CCE-90747-7
cce@sle12: CCE-91492-9
cce@sle15: CCE-91184-2
ocil_clause: 'env_reset is not enabled in sudo'
ocil: |-
To determine if <tt>env_reset</tt> has been configured for sudo, run the following command:
<pre>$ sudo grep -ri "^[\s]*Defaults.*\benv_reset\b.*" /etc/sudoers /etc/sudoers.d/</pre>
The command should return a matching output.
template:
name: sudo_defaults_option
vars:
option: env_reset
default_is_enabled@rhel8: "true"
|
