From 717d64851cc6b659ffbed61126a205acefdf0e63 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 5 Sep 2024 09:10:23 +0100 Subject: [PATCH] added improvement to 5.2.4 Signed-off-by: Mark Bolwell --- defaults/main.yml | 7 +++++++ tasks/section_5/cis_5.2.x.yml | 22 ++++++++++++++++------ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 100826c..1db43cd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -899,6 +899,13 @@ ubtu24cis_sudo_package: "sudo" ## Control 5.2.3 # This variable defines the path and file name of the sudo log file. ubtu24cis_sudo_logfile: "/var/log/sudo.log" + +## control 5.2.4 sudoers NOPASSWD +# This will leave NOPASSWD intact for these users +ubtu24cis_sudoers_exclude_nopasswd_list: + - ec2-user + - vagrant + ## Control 5.2.6 # This variable sets the duration (in minutes) during which a user's authentication credentials # are cached after successfully authenticating using "sudo". This allows the user to execute diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 224c28e..05bfaa1 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -57,12 +57,22 @@ - sudo - rule_5.2.4 - NIST800-53R5_AC-6 - ansible.builtin.replace: - path: "{{ item }}" - regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' - replace: '\1PASSWD\2' - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ prelim_sudoers_files.stdout_lines }}" + block: + - name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | discover accts with NOPASSWD" + ansible.builtin.shell: grep -Ei '(nopasswd)' /etc/sudoers /etc/sudoers.d/* | cut -d':' -f1 + become: true + changed_when: false + failed_when: false + register: discovered_sudoers_nopasswd + + - name: "5.2.4 | PATCH | Ensure users must provide password for escalation" + when: discovered_sudoers_nopasswd.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^((?!#|{% for name in ubtu24cis_sudoers_exclude_nopasswd_list %}{{ name }}{% if not loop.last -%}|{%- endif -%}{% endfor %}).*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ discovered_sudoers_nopasswd.stdout_lines }}" - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" when: