File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (57 lines) | stat: -rw-r--r-- 2,372 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
documentation_complete: true

title: 'Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate'

description: |-
    The sudo <tt>!authenticate</tt> option, when specified, allows a user to execute commands using
    sudo without having to authenticate. This should be disabled by making sure that the
    <tt>!authenticate</tt> option does not exist in <tt>/etc/sudoers</tt> configuration file or
    any sudo configuration snippets in <tt>/etc/sudoers.d/</tt>.

rationale: |-
    Without re-authentication, users may access resources or perform tasks for which they
    do not have authorization.
    <br /><br />
    When operating systems provide the capability to escalate a functional capability, it
    is critical that the user re-authenticate.

severity: medium

identifiers:
    cce@rhel8: CCE-82202-3
    cce@rhel9: CCE-83544-7
    cce@rhel10: CCE-88892-5
    cce@sle12: CCE-83013-3
    cce@sle15: CCE-83291-5
    cce@slmicro5: CCE-93715-1
    cce@slmicro6: CCE-94718-4

references:
    cis-csc: 1,12,15,16,5
    cobit5: DSS05.04,DSS05.10,DSS06.03,DSS06.10
    isa-62443-2009: 4.3.3.5.1,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
    iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
    nist: IA-11,CM-6(a)
    nist-csf: PR.AC-1,PR.AC-7
    srg: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158
    stigid@ol7: OL07-00-010350
    stigid@ol8: OL08-00-010381
    stigid@sle12: SLES-12-010110
    stigid@sle15: SLES-15-010450

ocil_clause: "!authenticate is specified in the sudo config files"

ocil: |-
    To determine if <tt>!authenticate</tt> has not been configured for sudo, run the following command:
    <pre>$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/</pre>
    The command should return no output.

fixtext: |-
    Check that {{{ full_name }}} is not configured to allow users to execute privileged actions without authenticating.

    Remove any occurrence of "!authenticate" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.

    $ sed -i '/\!authenticate/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*

srg_requirement: '{{{ full_name }}} must require users to reauthenticate for privilege escalation.'