Rules Related To 'sudo'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Verify Group Who Owns /etc/sudoers.d Directory

directory_groupowner_etc_sudoersd

Description

To properly set the group owner of /etc/sudoers.d, run the command:

$ sudo chgrp root /etc/sudoers.d

Rationale

The ownership of the /etc/sudoers.d directory by the root group is important because this directory hosts sudo configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the sudo configuration.

Verify User Who Owns /etc/sudoers.d Directory

directory_owner_etc_sudoersd

Description

To properly set the owner of /etc/sudoers.d, run the command:

$ sudo chown root /etc/sudoers.d 

Rationale

The ownership of the /etc/sudoers.d directory by the root user is important because this directory hosts sudo configuration. Protection of this directory is critical for system security. Assigning the ownership to root ensures exclusive control of the sudo configuration.

Verify Permissions On /etc/sudoers.d Directory

directory_permissions_etc_sudoersd

Description

To properly set the permissions of /etc/sudoers.d, run the command:

$ sudo chmod 0750 /etc/sudoers.d

Rationale

Setting correct permissions on the /etc/sudoers.d directory is important because this directory hosts sudo configuration. Protection of this directory is critical for system security. Restricting the permissions ensures exclusive control of the sudo configuration.

Verify Group Who Owns /etc/sudoers File

file_groupowner_etc_sudoers

Description

To properly set the group owner of /etc/sudoers, run the command:

$ sudo chgrp root /etc/sudoers

Rationale

The ownership of the /etc/sudoers file by the root group is important because this file hosts sudo configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the sudo configuration.

Verify User Who Owns /etc/sudoers File

file_owner_etc_sudoers

Description

To properly set the owner of /etc/sudoers, run the command:

$ sudo chown root /etc/sudoers 

Rationale

The ownership of the /etc/sudoers file by the root user is important because this file hosts sudo configuration. Protection of this file is critical for system security. Assigning the ownership to root ensures exclusive control of the sudo configuration.

Verify Permissions On /etc/sudoers File

file_permissions_etc_sudoers

Description

To properly set the permissions of /etc/sudoers, run the command:

$ sudo chmod 0440 /etc/sudoers

Rationale

Setting correct permissions on the /etc/sudoers file is important because this file hosts sudo configuration. Protection of this file is critical for system security. Restricting the permissions ensures exclusive control of the sudo configuration.

Install sudo Package

package_sudo_installed

Description

The sudo package can be installed with the following command:

$ sudo dnf install sudo

Rationale

sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.

Ensure sudo Runs In A Minimal Environment - sudo env_reset

sudo_add_env_reset

Description

The sudo env_reset tag, when specified, will run the command in a minimal environment, containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables. On Red Hat Enterprise Linux 9, env_reset is enabled by default This should be enabled by making sure that the env_reset tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.

Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot

sudo_add_ignore_dot

Description

The sudo ignore_dot tag, when specified, will ignore the current directory in the PATH environment variable. On Red Hat Enterprise Linux 9, ignore_dot is enabled by default This should be enabled by making sure that the ignore_dot tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Ignoring the commands in the user's current directory prevents an attacker from executing commands downloaded locally.

Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC

sudo_add_noexec

Description

The sudo NOEXEC tag, when specified, prevents user executed commands from executing other commands, like a shell for example. This should be enabled by making sure that the NOEXEC tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Restricting the capability of sudo allowed commands to execute sub-commands prevents users from running programs with privileges they wouldn't have otherwise.

Ensure sudo passwd_timeout is appropriate - sudo passwd_timeout

sudo_add_passwd_timeout

Description

The sudo passwd_timeout tag sets the amount of time sudo password prompt waits. On Red Hat Enterprise Linux 9, the default passwd_timeout value is 5 minutes. The passwd_timeout should be configured by making sure that the passwd_timeout=$var_sudo_passwd_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Reducing the time sudo waits for a a password reduces the time the process is exposed.

Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty

sudo_add_requiretty

Description

The sudo requiretty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the requiretty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Restricting the use cases in which a user is allowed to execute sudo commands reduces the attack surface.

Ensure sudo umask is appropriate - sudo umask

sudo_add_umask

Description

The sudo umask tag, when specified, will be added the to the user's umask in the command environment. On Red Hat Enterprise Linux 9, the default umask value is 0022. The umask should be configured by making sure that the umask=$var_sudo_umask tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

sudo_add_use_pty

Description

The sudo use_pty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the use_pty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user's terminal after the main program has finished executing.

Ensure Sudo Logfile Exists - sudo logfile

sudo_custom_logfile

Description

A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.

Rationale

A sudo log file simplifies auditing of sudo commands.

Ensure a dedicated group owns sudo

sudo_dedicated_group

Description

Restrict the execution of privilege escalated commands to a dedicated group of users. Ensure the group owner of /usr/bin/sudo is $var_sudo_dedicated_group.

Rationale

Restricting the set of users able to execute commands as privileged user reduces the attack surface.

Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate

sudo_remove_no_authenticate

Description

The sudo !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the !authenticate option does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

sudo_remove_nopasswd

Description

The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Ensure Users Re-Authenticate for Privilege Escalation - sudo

sudo_require_authentication

Description

The sudo NOPASSWD and !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that NOPASSWD and/or !authenticate do not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/."

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Require Re-Authentication When Using the sudo Command

sudo_require_reauthentication

Description

The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Ensure only owner and members of group owner of /usr/bin/sudo can execute it

sudo_restrict_others_executable_permission

Description

Remove the execute permission bit of /etc/bin/sudo for the other users. To properly set the permissions of /usr/bin/sudo, run the command:

$ sudo chmod 4110 /usr/bin/sudo

Rationale

Restricting the set of users able to execute commands as privileged user reduces the attack surface.

The operating system must restrict privilege elevation to authorized personnel

sudo_restrict_privilege_elevation_to_authorized

Description

The sudo command allows a user to execute programs with elevated (administrator) privileges. It prompts the user for their password and confirms your request to execute a command by checking a file, called sudoers. Restrict privileged actions by removing the following entries from the sudoers file: ALL ALL=(ALL) ALL ALL ALL=(ALL:ALL) ALL

Rationale

If the "sudoers" file is not configured correctly, any user defined on the system can initiate privileged actions on the target system.

Only the VDSM User Can Use sudo NOPASSWD

sudo_vdsm_nopasswd

Description

The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the vdsm user should have this capability in any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Ensure sudo only includes the default configuration directory

sudoers_default_includedir

Description

Administrators can configure authorized sudo users via drop-in files, and it is possible to include other directories and configuration files from the file currently being parsed. Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d, or that no drop-in file is included. Either the /etc/sudoers should contain only one #includedir directive pointing to /etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories; Or the /etc/sudoers should not contain any #include, @include, #includedir or @includedir directives. Note that the '#' character doesn't denote a comment in the configuration file.

Rationale

Some sudo configurtion options allow users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised accound to be used to compromise other accounts.

Explicit arguments in sudo specifications

sudoers_explicit_command_args

Description

All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user. If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.

Rationale

Any argument can modify quite significantly the behavior of a program, whether regarding the realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the level of its specification. For example, on some systems, the kernel messages are only accessible by root. If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted in order to prevent the user from flushing the buffer through the -c option:

user ALL = dmesg ""

Don't define allowed commands in sudoers by means of exclusion

sudoers_no_command_negation

Description

Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the sudoers file contains a comma-delimited list of command specifications. The definition can make use glob patterns, as well as of negations. Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.

Rationale

Specifying access right using negation is inefficient and can be easily circumvented. For example, it is expected that a specification like

# To avoid absolutely , this rule can be easily circumvented!
user ALL = ALL ,!/ bin/sh
prevents the execution of the shell but that’s not the case: just copy the binary /bin/sh to a different name to make it executable again through the rule keyword ALL.

Don't target root user in the sudoers file

sudoers_no_root_target

Description

The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and ALL or root should not be used.

Rationale

It is common that the command to be executed does not require superuser rights (editing a file whose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit any attempt of privilege escalation through a command, it is better to apply normal user rights.

Ensure invoking users password for privilege escalation when using sudo

sudoers_validate_passwd

Description

The sudoers security policy requires that users authenticate themselves before they can use sudo. When sudoers requires authentication, it validates the invoking user's credentials. The expected output for:

 sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' 
 Defaults !targetpw
      Defaults !rootpw
      Defaults !runaspw 
or if cvtsudoers not supported:
 sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \; 
 /etc/sudoers:Defaults !targetpw
      /etc/sudoers:Defaults !rootpw
      /etc/sudoers:Defaults !runaspw 

Rationale

If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password.

Ensure That the sudo Binary Has the Correct Permissions

file_permissions_sudo

Description

To properly set the permissions of /usr/bin/sudo, run the command:

$ sudo chmod 4111 /usr/bin/sudo

Rationale

The sudoers program should only be usable by people who have the correct permissions.