Usage of sudo is possible without password after applying role

[thorian93]

I found an issue that I can not really evaluate: After running the role on a CentOS 7 system I am able to use sudo without a password as a member of the wheel group, although this is not configured in the sudoers file and by default the user password should be required to perform sudo operations.

I am not sure whether this draws a proper picture of the issue but I would appreciate any input on this matter.

Thanks in advance!

[HarryHarcourt]

Hi thorian93 I went through the CIS Security Benchmarks for RedHat (what I am working from) and there is no requirement to address this (thus ensure that a user who is a member of the wheel group is required to enter a password when running a command). I would ask what distribution you are running (where the source came from - and if during installation an option was select to enable this). What I will say is that within the role I make no changes to the sudoers file, the changes I make relate to 4.1.15 and 4.1.16 which ensure the logs are enabled. Best Ben

[thorian93]

Hi Ben,
yeah I am aware that that is not a general requirement, but I want to implement it as an additional layer of security.
I am using CentOS 7.4 fully patched and after basic setup the settings were just fine: When using sudo in any way it prompted for my user password. After running the role against the box this behaviour changed as described and I can't figure out where this comes from. Especially because the role only changes auditing rules and noting regarding the sudo mechanics itself. I am kinda lost here..
But I will continue looking into it when I find time and keep you posted if I find anything. If you have any ideas just let me know.
Thanks!

[HarryHarcourt]

Hi Thorian93 Will try and replicate it myself. Sudo is an area I have thought about addressing but it is so customize by people it would be a challenge addressing everyone’s needs. It might be worthwhile identifying X number is key configurations and address those, leaving a space for the rest. Thoughts are welcome. Best Ben

[thorian93]

Hi Harry,
I figured it out, at least the problem itself: When configuring PAM in Section 5.3.2 and 5.3.3 (although 5.3.3. is not implemented), something in that configuration tells PAM to allow the usage of su and sudo without requiring a password.
For now I simply exclude those two sections, but I highly appreciated it if you or someone else is able to explain or maybe fix this unwanted behaviour.
From my point you can close the issue if you want, or leave it open until it is fixed properly.

[HarryHarcourt]

Hi Thorian93 Good job, I don't really know what to say other than thanks. How to address this is another thing, really what I want to do is to go back to the CIS Team with this and ask for their recommendation. I think this is one of those items where the combination of all their recommendations balks something (in this case sudo PASSWORD). Can you let me know how you tested / proved this? The challenge is (could be my imagination) but I thought I took CentOS 7.4 minimal image with no changes and could do stuff (sudo) after the default 15 minutes and without be challenged with a password, without running the role. If you can tell me how you tested it I will replicate and log it somewhere. Thanks Ben

[thorian93]

Hi Harry, my last test was against CentOS 7.5 minimal installation. I took your role as provided. Before the run sudo prompts for a password on first use at least and after the run, where I skipped 5.3.2 it still works as expected. If you need more info just let me know.

[HarryHarcourt]

Ok - will see if I can replicate (I could not get my role to run completely against CentOS 7.4 - will try 7.5). Thanks

[HarryHarcourt]

Hi thorian93 Fixed it, it was my fault thinking RedHat knew more..... I have updated the templates for password-auth-local and system-auth-local (put the old files in the "old" directory - if you confirm I will delete them). I will also remove the link to the RedHat site from where I got the original information - as it does not seem to be effective. Here is the output from what I did:

CentOS 1804 minimal Default installation - enabled NIC, NAT (running Virtual Box) Default partitioning Allocated root password Created a user with administrative rights (ticked the box) Installed and rebooted

From man sudo /default - the default password prompt timeout for the sudoers security policy is 5 minutes, the default sudoers policy is to cache the credentials for 5 minutes.

Whilst Logged into the console: Time: Command Outcome 18:57 sudo cat /etc/shadow entered password 19:01 sudo cat /etc/shadow no password 19:08 sudo cat /etc/shadow entered password

Whilst logged in over SSH: Time: Command Outcome 19:14 sudo cat /etc/shadow entered password 19:16 exit and copied keys across 19:18 sudo cat /etc/shadow entered password 19:22 sudo cat /etc/shadow entered password 19:29 sudo cat /etc/shadow entered password

19:31 ansible-playbook pb_cis.yml --tags "5.3.2" --ask-sudo-pass entered password 19:32 applied those that one change (essentially 5.3.2 and 5.3.3) as one 19:33 applied again - no changes (all ok)

Whilst logged in over SSH: Time: Command Outcome 19:34 sudo cat /etc/shadow no password

Ran through the CIS Benchmark Section 5.3.2 and 5.3.3 - saw difference Actually I took the instruction from RedHat thinking they would know better but…. Corrected the template to be the same as CIS Benchmark recommendations Ran the playbook again for 5.3.2

Whilst logging in over SSH: 20:15 sudo cat /etc/shadow entered password Logged off 20:16 sudo cat /etc/shadow entered password 20:17 sudo cat /etc/shadow no password 20:25 sudo cat /etc/shadow entered password

Thus all should be good, let me know and I will close! Thanks!! Best Ben

[HarryHarcourt]

Hi Thorian93 Going to close this if no further response and tidy up the code. Best Ben

[thorian93]

Hi Ben,
so sorry I didn't respond earlier, I was on holiday and then on sick leave..
I will test the changes as soon as possible and give you feedback, but that could take a little while.
But I will give feedback, once I finished testing.

[HarryHarcourt]

Thanks, let me know, Best Ben

[thorian93]

Hi Ben, just letting you know, that I can reproduce your fix, it works.
Thanks for the good work! From my point of view this issue can be closed now.

[HarryHarcourt]

Hi Thorian93 Will tidy up (remove reference to the original page I got from RedHat on how I configured the file) and leave it as it. Thanks for following up Best Ben