There are rules (e.g. sudo_require_reauthentication, but probably others) that check sudo's configuration by scanning /etc/sudoers and all files in /etc/sudoers.d. For example, sudo_require_reauthentication uses the regex ^\/etc\/(sudoers|sudoers\.d\/.*)$.
This is mostly correct, assuming /etc/sudoers actually has an includedir for that directory, but sudo ignores certain filename patterns. From the sudoers man page:
For example, given:
@includedir /etc/sudoers.d
sudo will suspend processing of the current file and read each file in /etc/sudoers.d, skipping file names that end in ‘~’ or contain a ‘.’ character to avoid causing problems with package manager or editor temporary/backup files.
So if /etc/sudoers.d/example.conf contains Defaults timestamp_timeout=1, sudo will ignore it but an oscap run will mark it as passing.
There are rules (e.g.
sudo_require_reauthentication, but probably others) that checksudo's configuration by scanning/etc/sudoersand all files in/etc/sudoers.d. For example,sudo_require_reauthenticationuses the regex^\/etc\/(sudoers|sudoers\.d\/.*)$.This is mostly correct, assuming
/etc/sudoersactually has an includedir for that directory, butsudoignores certain filename patterns. From thesudoersman page:So if
/etc/sudoers.d/example.confcontainsDefaults timestamp_timeout=1,sudowill ignore it but an oscap run will mark it as passing.