File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (64 lines) | stat: -rw-r--r-- 2,545 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
documentation_complete: true

title: 'Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD'

description: |-
    The sudo <tt>NOPASSWD</tt> tag, when specified, allows a user to execute
    commands using sudo without having to authenticate. This should be disabled
    by making sure that the <tt>NOPASSWD</tt> tag does not exist in
    <tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
    in <tt>/etc/sudoers.d/</tt>.

rationale: |-
    Without re-authentication, users may access resources or perform tasks for which they
    do not have authorization.
    <br /><br />
    When operating systems provide the capability to escalate a functional capability, it
    is critical that the user re-authenticate.

severity: medium

identifiers:
    cce@rhel8: CCE-82197-5
    cce@rhel9: CCE-83536-3
    cce@rhel10: CCE-87015-4
    cce@sle12: CCE-83012-5
    cce@sle15: CCE-85663-3
    cce@slmicro5: CCE-93714-4
    cce@slmicro6: CCE-94717-6

references:
    cis-csc: 1,12,15,16,5
    cobit5: DSS05.04,DSS05.10,DSS06.03,DSS06.10
    isa-62443-2009: 4.3.3.5.1,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
    iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
    nist: IA-11,CM-6(a)
    nist-csf: PR.AC-1,PR.AC-7
    srg: SRG-OS-000373-GPOS-00156,SRG-OS-000373-GPOS-00157,SRG-OS-000373-GPOS-00158
    stigid@ol7: OL07-00-010340
    stigid@ol8: OL08-00-010380
    stigid@sle12: SLES-12-010110
    stigid@sle15: SLES-15-010450

ocil_clause: 'nopasswd is specified in the sudo config files'

ocil: |-
    To determine if <tt>NOPASSWD</tt> has been configured for sudo, run the following command:
    <pre>$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/</pre>
    The command should return no output.

platforms:
{{{ rule_notapplicable_when_ovirt_installed() | indent(4)}}}

warnings:
{{{ warning_ovirt_rule_notapplicable("RHV requires to perform operations as root without being asked for password") | indent(4) }}}

fixtext: |-
    Check that {{{ full_name }}} is not configured to allow users to execute privileged actions without authenticating.

    Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.

    $ sed -i '/NOPASSWD/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*

srg_requirement: '{{{ full_name }}} must require users to provide a password for privilege escalation.'