ansible-hardening: false positive for sudo NOPASSWD check
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Medium
|
Major Hayden |
Bug Description
The RHEL7STIG checks for the word 'nopasswd' in /etc/sudoers here:
* https:/
This causes a false positive on a stick RHEL7 server, as there's a commented out example from Red Hat like so present in the /etc/sudoers file:
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
This results in:
TASK [ansible-hardening : Check for 'nopasswd' in sudoers files] ***************
task path: ansible-
ok: [SERVERNAME] => {"changed": false, "cmd": "grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ || echo 'not found'", "delta": "0:00:00.004764", "end": "2017-07-03 16:34:09.278939", "rc": 0, "start": "2017-07-03 16:34:09.274175", "stderr": "", "stderr_lines": [], "stdout": "/etc/sudoers:# %wheel\
TASK [ansible-hardening : V-71947 - Users must provide a password for privilege escalation.] ***
task path: ansible-
ok: [SERVERNAME] => {
"msg": "The 'NOPASSWD' directive was found in the sudoers configuration files. Remove the directive to ensure that all users must provide a password to run commands as the root user.\n"
}
We should be more smart in ignoring commented out lines, especially since it's delivered this way from the vendor as a default.
Changed in openstack-ansible: | |
assignee: | nobody → Major Hayden (rackerhacker) |
We should probably replace /github. com/openstack/ ansible- hardening/ blob/f422da8599 c6d8f64ebfefbf0 a0aa711ea1f9569 /tasks/ rhel7stig/ auth.yml# L104
https:/
by
shell: egrep -ir ^nopasswd /etc/sudoers /etc/sudoers.d/ || echo 'not found'
or something like that?