Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
An XCCDF Rule
Description
The sudo NOEXEC
tag, when specified, prevents user executed
commands from executing other commands, like a shell for example.
This should be enabled by making sure that the NOEXEC
tag exists in
/etc/sudoers
configuration file or any sudo configuration snippets
in /etc/sudoers.d/
.
Rationale
Restricting the capability of sudo allowed commands to execute sub-commands prevents users from running programs with privileges they wouldn't have otherwise.
- ID
- xccdf_org.ssgproject.content_rule_sudo_add_noexec
- Severity
- High
- References
- Updated
Remediation - Ansible
- name: Ensure noexec is enabled in /etc/sudoers
lineinfile:
path: /etc/sudoers
regexp: ^[\s]*Defaults.*\bnoexec\b.*$
line: Defaults noexec
validate: /usr/sbin/visudo -cf %s
Remediation - Shell Script
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults[\s]*\bnoexec\b.*$' /etc/sudoers; then
# sudoers file doesn't define Option noexec
echo "Defaults noexec" >> /etc/sudoers