Ensure sudo Runs In A Minimal Environment - sudo env_reset
An XCCDF Rule
Description
The sudo env_reset
tag, when specified, will run the command in a minimal environment,
containing the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER and SUDO_* variables.
This should be enabled by making sure that the env_reset
tag exists in
/etc/sudoers
configuration file or any sudo configuration snippets
in /etc/sudoers.d/
.
Rationale
Forcing sudo to reset the environment ensures that environment variables are not passed on to the command accidentaly, preventing leak of potentially sensitive information.
- ID
- xccdf_org.ssgproject.content_rule_sudo_add_env_reset
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults[\s]*\benv_reset\b.*$' /etc/sudoers; then
# sudoers file doesn't define Option env_reset
echo "Defaults env_reset" >> /etc/sudoers
Remediation - Ansible
- name: Ensure env_reset is enabled in /etc/sudoers
lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults.*\benv_reset\b.*$
line: Defaults env_reset
validate: /usr/sbin/visudo -cf %s