search

ansible-lockdown / UBUNTU22-CIS-Audit

Audit for Ubuntu 22 CIS
MIT License
38 stars 15 forks source link

Insufficient regex in rule 5.3.3 check #39

Open lsedlacik opened 2 days ago

lsedlacik commented 2 days ago

Describe the Issue The regular expression checking validity of logfile value in sudo configuration, '^Defaults logfile=/var/log/*.log' is woefully insufficient, it doesn't even match the value set by UBUNTU22-CIS remediation playbook (code from the latest release 1.4.1): https://github.com/ansible-lockdown/UBUNTU22-CIS/blob/89821b87ed07712e611cf975757d7c4cdda06e1e/tasks/section_5/cis_5.3.x.yml#L33

- name: "5.3.3 | PATCH | Ensure sudo log file exists"
  ansible.builtin.lineinfile:
      path: /etc/sudoers
      regexp: '^Defaults\s+logfile'
      line: 'Defaults        logfile="{{ ubtu22cis_sudo_logfile }}"'
      insertafter: '^\s*Defaults'

generates the following line:

Defaults        logfile="/var/log/sudo.log"

Expected Behavior /etc/sudoers should have 1 match.

Actual Behavior

# grep -Ec '^Defaults logfile=/var/log/*.log' /etc/sudoers /etc/sudoers.d/.*/
/etc/sudoers:0
grep: /etc/sudoers.d/../: Is a directory
/etc/sudoers.d/../:0
grep: /etc/sudoers.d/./: Is a directory
/etc/sudoers.d/./:0

Control(s) Affected CIS 5.3.3

Environment (please complete the following information):

Additional Notes This got uncovered by merging fix for https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/issues/36

Possible Solution The regular expression needs to be expanded to match at least the basic format allowed by sudoers(5), and definitely match what the remediation playbook sets.

Suggested regex as a starting point, that keeps the original intention and allows for setting flags or more detailed Defaults, double quotes around the filename, and correctly matches file name wildcard:

^Defaults(?:[@:!>]\S+)?\s+(?:\w+(?:,\s*)?)*logfile=[\"]?/var/log/.*\.log[\"]?$

It should match the value set by remediation playbook, the example from sudoers(5), etc.

Defaults@SERVERS        log_year, logfile=/var/log/sudo.log
uk-bolly commented 2 days ago

hi @lsedlacik

Thank you for taking the time to feedback on this issue. I have rewritten to capture different solutions. This now works with the sudoers example you provided as well as the one set if using the remediation playbook. I have created a new branch issue_39 which i hope resolves the issue you have rightly highlighted.

many thanks

uk-bolly