Merge pull request #11584 from Mab879/update_r38

Add new rule file_permissions_sudo
ComplianceAsCode · Feb 22, 2024 · 570eeb7 · 570eeb7
2 parents dfd6971 + 257bf01
commit 570eeb7
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 3 deletions.
diff --git a/components/sudo.yml b/components/sudo.yml
@@ -32,5 +32,6 @@ rules:
 - sudoers_no_command_negation
 - sudoers_no_root_target
 - sudoers_validate_passwd
+- file_permissions_sudo
 templates:
 - sudo_defaults_option
diff --git a/controls/anssi.yml b/controls/anssi.yml
@@ -886,6 +886,7 @@ controls:
     rules:
     - sudo_dedicated_group
     - var_sudo_dedicated_group=sudogrp
+    - file_permissions_sudo
 
   - id: R39
     title: Sudo configuration guidelines

diff --git a/linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml b/linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Ensure That the sudo Binary Has the Correct Permissions'
+
+description: |-
+{{{ describe_file_permissions("/usr/bin/sudo", "4111") | indent(4) }}}
+
+rationale: |-
+    The sudoers program should only be usable by people who have the correct permissions.
+
+identifiers:
+    cce@rhel7: CCE-86949-5
+    cce@rhel8: CCE-86950-3
+    cce@rhel9: CCE-86951-1
+
+severity: medium
+
+platform: package[sudo]
+
+template:
+    name: "file_permissions"
+    vars:
+        filepath: "/usr/bin/sudo"
+        filemode: '4111'
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -400,9 +400,6 @@ CCE-86939-6
 CCE-86940-4
 CCE-86941-2
 CCE-86942-0
-CCE-86949-5
-CCE-86950-3
-CCE-86951-1
 CCE-86952-9
 CCE-86953-7
 CCE-86955-2