File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (65 lines) | stat: -rw-r--r-- 2,766 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
documentation_complete: true

title: 'Ensure invoking users password for privilege escalation when using sudo'


description: |-
    The sudoers security policy requires that users authenticate themselves before they can use sudo.
    When sudoers requires authentication, it validates the invoking user's credentials.
    The expected output for:
    <pre> sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' </pre>
    <pre> Defaults !targetpw
          Defaults !rootpw
          Defaults !runaspw </pre>
    or if cvtsudoers not supported:
    <pre> sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; </pre>
    <pre> /etc/sudoers:Defaults !targetpw
          /etc/sudoers:Defaults !rootpw
          /etc/sudoers:Defaults !runaspw </pre>

severity: medium

rationale: |-
    If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt
    the invoking user for the "root" user password.

identifiers:
    cce@rhel8: CCE-83422-6
    cce@rhel9: CCE-83529-8
    cce@rhel10: CCE-88855-2
    cce@sle12: CCE-83230-3
    cce@sle15: CCE-85747-4
    cce@slmicro5: CCE-93735-9
    cce@slmicro6: CCE-95043-6 

references:
    nist: CM-6(b),CM-6.1(iv)
    srg: SRG-OS-000480-GPOS-00227
    stigid@ol7: OL07-00-010342
    stigid@ol8: OL08-00-010383
    stigid@sle12: SLES-12-010112
    stigid@sle15: SLES-15-020103

ocil_clause: 'invoke user passwd when using sudo'

ocil: |-
    Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:
    <pre> sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)' </pre>
    or if cvtsudoers not supported:
    <pre> sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; </pre>
    If no results are returned, this is a finding.
    If conflicting results are returned, this is a finding.
    If "Defaults !targetpw" is not defined, this is a finding.
    If "Defaults !rootpw" is not defined, this is a finding.
    If "Defaults !runaspw" is not defined, this is a finding.

fixtext: |-
    Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:
    Defaults !targetpw
    Defaults !rootpw
    Defaults !runaspw

srg_requirement: |-
  {{{ full_name }}} must use the invoking user's password for privilege escalation when using "sudo".

platform: package[sudo]