Ensure only owner and members of group owner of /usr/bin/sudo can execute it

An XCCDF Rule

Description

Remove the execute permission bit of /etc/bin/sudo for the other users. To properly set the permissions of /usr/bin/sudo, run the command:

$ sudo chmod 4110 /usr/bin/sudo

Rationale

Restricting the set of users able to execute commands as privileged user reduces the attack surface.

ID: xccdf_org.ssgproject.content_rule_sudo_restrict_others_executable_permission
Severity: Medium
References: BP28(R57)

CCE-83574-4
Updated: about 1 year ago

- name: Test for existence /usr/bin/sudo
  stat:
    path: /usr/bin/sudo
  register: file_exists
  tags:
  - CCE-83574-4  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sudo_restrict_others_executable_permission

- name: Ensure permission u-wr,g-wrs,o-xwrt on /usr/bin/sudo
  file:
    path: /usr/bin/sudo
    mode: u-wr,g-wrs,o-xwrt
  when: file_exists.stat is defined and file_exists.stat.exists
  tags:
  - CCE-83574-4
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - sudo_restrict_others_executable_permission






chmod u-wr,g-wrs,o-xwrt /usr/bin/sudo

Ensure only owner and members of group owner of /usr/bin/sudo can execute it

Description

Rationale

Remediation - Ansible

Remediation - Shell Script