1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
documentation_complete: true
title: 'Ensure Sudo Logfile Exists - sudo logfile'
description: |-
A custom log sudo file can be configured with the 'logfile' tag. This rule configures
a sudo custom logfile at the default location suggested by CIS, which uses
/var/log/sudo.log.
rationale: |-
A sudo log file simplifies auditing of sudo commands.
severity: low
identifiers:
cce@rhel8: CCE-83601-5
cce@rhel9: CCE-83527-2
cce@rhel10: CCE-89611-8
cce@sle12: CCE-91654-4
cce@sle15: CCE-91311-1
cce@slmicro5: CCE-94073-4
references:
cis@sle12: 1.3.3
cis@sle15: 1.3.3
pcidss: Req-10.2.5
ocil_clause: 'logfile is not enabled in sudo'
ocil: |-
To determine if <tt>logfile</tt> has been configured for sudo, run the following command:
<pre>$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/</pre>
The command should return a matching output.
template:
name: sudo_defaults_option
vars:
option: logfile
# In this rule it is necessary to collect the current value and compare with an XCCDF
# variable, which includes the expected file path. Therefore, it is first necessary to
# extract the file path from the configuration line. This is done with the regex informed
# in option_regex_suffix.
# For illustration, these are few examples of a valid configuration lines:
# Defaults logfile=/var/log/sudo.log
# Defaults logfile = /var/log/sudo.log,noexec
# Defaults logfile="/var/log/sudo.log"
# In these examples it is necessary to extract '/var/log/sudo.log' from the line.
# The regex below ensure the file path is collected in these possible scenarios.
option_regex_suffix: '\s*=\s*(?:"?([^",\s]+)"?)'
variable_name: var_sudo_logfile
platform: package[sudo]
|
