V-58901: sudo requires auth

Implements: blueprint security-hardening Change-Id: I3ca1a2cbd4af2b77b65fe7a69eb0a757482180bc
2015-10-13 09:19:45 -05:00 · 2015-10-13 09:19:45 -05:00 · 175be75cf6
commit 175be75cf6
parent 564badcb5e
2 changed files with 32 additions and 0 deletions
--- a/doc/source/developer-notes/V-58901.rst
+++ b/doc/source/developer-notes/V-58901.rst
@ -0,0 +1,3 @@
+The Ansible tasks will search for ``NOPASSWD`` and ``!authenticate`` in the
+sudo configuration. If either is found, the playbook will fail and an error
+message will be printed.
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@ -329,3 +329,32 @@
    - auth
    - cat3
    - V-38683
+
+- name: Checking for NOPASSWD in sudoers (for V-58901)
+  shell: "egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*"
+  register: v58901_nopasswd_result
+  changed_when: False
+  failed_when: v58901_nopasswd_result.rc > 1
+  tags:
+    - auth
+    - cat2
+    - V-58901
+
+- name: Checking for !authenticate in sudoers (for V-58901)
+  shell: "egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*"
+  register: v58901_authenticate_result
+  changed_when: False
+  failed_when: v58901_authenticate_result.rc > 1
+  tags:
+    - auth
+    - cat2
+    - V-58901
+
+- name: V-58901 - The sudo command must require authentication
+  fail:
+    msg: "FAILED: NOPASSWD or !authenticate found in sudo configuration"
+  when: v58901_nopasswd_result.rc == 0 or v58901_authenticate_result.rc == 0
+  tags:
+    - auth
+    - cat2
+    - V-58901