Don't define allowed commands in sudoers by means of exclusion
An XCCDF Rule
Description
Policies applied by sudo through the sudoers file should not involve negation.
Each user specification in the sudoers file contains a comma-delimited list of command specifications.
The definition can make use glob patterns, as well as of negations.
Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.
warning alert: Warning
This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue.
Rationale
Specifying access right using negation is inefficient and can be easily circumvented. For example, it is expected that a specification like
# To avoid absolutely , this rule can be easily circumvented! user ALL = ALL ,!/ bin/shprevents the execution of the shell but that’s not the case: just copy the binary
/bin/sh to a different name to make it executable
again through the rule keyword ALL.
- ID
- xccdf_org.ssgproject.content_rule_sudoers_no_command_negation
- Severity
- Medium
- References
- Updated