Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insufficient regex in rule 5.3.3 check #39

Open
lsedlacik opened this issue Nov 11, 2024 · 1 comment
Open

Insufficient regex in rule 5.3.3 check #39

lsedlacik opened this issue Nov 11, 2024 · 1 comment
Assignees
@uk-bolly
Labels
bug Something isn't working

Comments

@lsedlacik
Copy link

lsedlacik commented Nov 11, 2024
edited
Loading

Describe the Issue
The regular expression checking validity of logfile value in sudo configuration, '^Defaults logfile=/var/log/*.log' is woefully insufficient, it doesn't even match the value set by UBUNTU22-CIS remediation playbook (code from the latest release 1.4.1):
https://github.com/ansible-lockdown/UBUNTU22-CIS/blob/89821b87ed07712e611cf975757d7c4cdda06e1e/tasks/section_5/cis_5.3.x.yml#L33

- name: "5.3.3 | PATCH | Ensure sudo log file exists"
  ansible.builtin.lineinfile:
      path: /etc/sudoers
      regexp: '^Defaults\s+logfile'
      line: 'Defaults        logfile="{{ ubtu22cis_sudo_logfile }}"'
      insertafter: '^\s*Defaults'

generates the following line:

Defaults        logfile="/var/log/sudo.log"

Expected Behavior
/etc/sudoers should have 1 match.

Actual Behavior

# grep -Ec '^Defaults logfile=/var/log/*.log' /etc/sudoers /etc/sudoers.d/.*/
/etc/sudoers:0
grep: /etc/sudoers.d/../: Is a directory
/etc/sudoers.d/../:0
grep: /etc/sudoers.d/./: Is a directory
/etc/sudoers.d/./:0

Control(s) Affected
CIS 5.3.3

Environment (please complete the following information):

  • branch being used: benchmark-v1.0.0
  • Ansible Version: 2.17.5
  • Host Python Version: Python 3.10.12
  • Ansible Server Python Version: Python 3.11.10
  • Additional Details:

Additional Notes
This got uncovered by merging fix for #36

Possible Solution
The regular expression needs to be expanded to match at least the basic format allowed by sudoers(5), and definitely match what the remediation playbook sets.

Suggested regex as a starting point, that keeps the original intention and allows for setting flags or more detailed Defaults, double quotes around the filename, and correctly matches file name wildcard:

^Defaults(?:[@:!>]\S+)?\s+(?:\w+(?:,\s*)?)*logfile=[\"]?/var/log/.*\.log[\"]?$

It should match the value set by remediation playbook, the example from sudoers(5), etc.

Defaults@SERVERS        log_year, logfile=/var/log/sudo.log
@lsedlacik lsedlacik added the bug Something isn't working label Nov 11, 2024
@uk-bolly uk-bolly self-assigned this Nov 11, 2024
uk-bolly added a commit that referenced this issue Nov 11, 2024
@uk-bolly
updated to capture great options #39
9d2b4e0 
Signed-off-by: Mark Bolwell <[email protected]>
@uk-bolly
Copy link
Member

uk-bolly commented Nov 11, 2024
edited
Loading

hi @lsedlacik

Thank you for taking the time to feedback on this issue. I have rewritten to capture different solutions. This now works with the sudoers example you provided as well as the one set if using the remediation playbook.
I have created a new branch issue_39 which i hope resolves the issue you have rightly highlighted.

many thanks

uk-bolly

uk-bolly added a commit that referenced this issue Nov 11, 2024
@uk-bolly
updated v2 for 5.2.3 as per issue #39
2ca8c1c 
Signed-off-by: Mark Bolwell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uk-bolly uk-bolly

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uk-bolly @lsedlacik