UNIX agent-less sudoers with NOEXEC tag
search cancel

UNIX agent-less sudoers with NOEXEC tag

book

Article ID: 261332

calendar_today

Updated On:

Products

Control Compliance Suite Standards Server

Issue/Introduction

Recently a sample sudoers configuration was provided to me along with the list of necessary sudo commands for agent-less data collection on UNIX machines. The sample configuration didn't contain the NOEXEC sudo tag, which however we would like to use in our environment. While testing data collection with the tag, I have discovered that the evaluation results differ on data collected with and without the NOEXEC tag.

In my example I ran an agent-less data collection on a RHEL 7 asset with the CIS Benchmark for Red Hat Enterprise Linux 7 v3.1.1 Level 1. When NOEXEC is not present, 74 checks fail, 12 are not applicable and 106 succeed. With NOEXEC however 79 fail, 13 are not applicable and only 100 pass. This most probably means that NOEXEC is interfering with the data collection (i.e. preventing shell escapes). Can you please explain why this is happening and how to fix the configuration?

My current sudoers configuration for the scan user:

Cmnd_Alias CCS_CMDLIST=/usr/bin/awk,/usr/bin/cat,/usr/bin/chage,/usr/bin/crontab,/usr/bin/cut,/usr/bin/date,/usr/bin/df,/usr/bin/dig,/usr/bin/dmesg,/usr/bin/echo,/usr/bin/egrep,/usr/bin/file,/usr/bin/find,/usr/bin/findmnt,/usr/bin/firewall-cmd,/usr/bin/grep,/usr/bin/head,/usr/bin/id,/usr/bin/locale,/usr/bin/ls,/usr/bin/lsblk,/usr/bin/mount,/usr/bin/netstat,/usr/bin/nmcli,/usr/bin/passwd -S *,/usr/bin/perl,/usr/bin/ps,/usr/bin/rpm,/usr/bin/sed,/usr/bin/su - root -c env,/usr/bin/su - root -c umask,/usr/bin/systemctl,/usr/bin/test,/usr/bin/tr,/usr/bin/uname,/usr/bin/xargs,/usr/bin/ypcat,/usr/sbin/auditctl,/usr/sbin/authconfig,/usr/sbin/getenforce,/usr/sbin/ip6tables,/usr/sbin/iptables,/usr/sbin/lsmod,/usr/sbin/modprobe,/usr/sbin/nft,/usr/sbin/sestatus,/usr/sbin/ss,/usr/sbin/sshd,/usr/sbin/sysctl

ccsuser ALL=(root) SETENV: NOPASSWD: NOEXEC: CCS_CMDLIST

 

Environment

Release : CCS Infra Release 12.6+

Cause

There are few commands which gives Permission denied error if NOEXEC attribute is set and hence there is a compliance mismatch for few checks.

For the commands like /usr/bin/grep, /usr/bin/egrep, /usr/bin/xargs, we may need the code fix and we can take that up in the future content.

For the commands like /usr/bin/su - root -c env, /usr/bin/su - root -c umask, it needs to be run with EXEC option. 

Resolution

If the customer wants to use NOEXEC attribute in their sudoers configuration, they can use the following sudo configuration.

Cmnd_Alias CCS_CMDLIST=/usr/sbin/auditctl,/usr/sbin/authconfig,/usr/bin/awk,/usr/bin/cat,/usr/bin/chage,/usr/bin/crontab,/usr/bin/cut,/usr/bin/date,/usr/bin/df,/usr/bin/dmesg,/usr/bin/file,/usr/bin/find,/usr/bin/findmnt,/usr/bin/firewall-cmd,/usr/sbin/getenforce, /usr/bin/head,/usr/bin/id,/usr/sbin/ip6tables,/usr/sbin/iptables,/usr/bin/locale, /usr/bin/ls,/usr/bin/lsblk,/usr/sbin/lsmod,/usr/bin/mount,/usr/bin/netstat,/usr/sbin/nft,/usr/bin/nmcli,/usr/bin/passwd -S *, /usr/bin/perl,/usr/bin/ps,/usr/bin/rpm,/usr/bin/sed,/usr/sbin/sestatus,/usr/sbin/ss,/usr/sbin/sshd,/usr/sbin/sysctl,/usr/bin/systemctl,/usr/bin/test,/usr/bin/tr,/usr/bin/uname,/usr/bin/ypcat,/usr/bin/echo,/usr/bin/dig

Cmnd_Alias CCS_CMDLIST_WITHOUT_NOEXEC=/usr/bin/grep, /usr/bin/egrep, /usr/bin/xargs, /usr/bin/su - root -c env,/usr/bin/su - root -c umask

ccsuser ALL=(root)       SETENV:NOPASSWD:NOEXEC:CCS_CMDLIST, EXEC:CCS_CMDLIST_WITHOUT_NOEXEC

I have verified the CER job with the above mentioned sudo configuration.The commands gets executed correctly which were giving Permission denied error previously.