Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot

An XCCDF Rule

Description

The sudo ignore_dot tag, when specified, will ignore the current directory in the PATH environment variable. This should be enabled by making sure that the ignore_dot tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Ignoring the commands in the user's current directory prevents an attacker from executing commands downloaded locally.

ID: xccdf_org.ssgproject.content_rule_sudo_add_ignore_dot
Severity: Medium
References: BP28(R58)

CCE-91493-7
Updated: about 1 year ago

- name: Ensure ignore_dot is enabled in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults.*\bignore_dot\b.*$
    line: Defaults ignore_dot
    validate: /usr/sbin/visudo -cf %s  tags:
  - CCE-91493-7
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_add_ignore_dot


if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults[\s]*\bignore_dot\b.*$' /etc/sudoers; then
        # sudoers file doesn't define Option ignore_dot
        echo "Defaults ignore_dot" >> /etc/sudoers    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi

Ensure sudo Ignores Commands In Current Dir - sudo ignore_dot

Description

Rationale

Remediation - Ansible

Remediation - Shell Script