diff --git a/components/sudo.yml b/components/sudo.yml index 1af9eeb309b..baaf461f4ad 100644 --- a/components/sudo.yml +++ b/components/sudo.yml @@ -26,5 +26,6 @@ rules: - sudoers_no_command_negation - sudoers_no_root_target - sudoers_validate_passwd +- file_permissions_sudo templates: - sudo_defaults_option diff --git a/controls/anssi.yml b/controls/anssi.yml index daec35f1089..c0fdf53eaa3 100644 --- a/controls/anssi.yml +++ b/controls/anssi.yml @@ -885,6 +885,7 @@ controls: rules: - sudo_dedicated_group - var_sudo_dedicated_group=sudogrp + - file_permissions_sudo - id: R39 title: Sudo configuration guidelines diff --git a/linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml b/linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml new file mode 100644 index 00000000000..b56e6c17aab --- /dev/null +++ b/linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml @@ -0,0 +1,24 @@ +documentation_complete: true + +title: 'Ensure That the sudo Binary Has the Correct Permissions' + +description: |- +{{{ describe_file_permissions("/usr/bin/sudo", "4111") | indent(4) }}} + +rationale: |- + The sudoers program should only be usable by people who have the correct permissions. + +identifiers: + cce@rhel7: CCE-86949-5 + cce@rhel8: CCE-86950-3 + cce@rhel9: CCE-86951-1 + +severity: medium + +platform: package[sudo] + +template: + name: "file_permissions" + vars: + filepath: "/usr/bin/sudo" + filemode: '4111' diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 08e6a876d39..ab502bec716 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -509,9 +509,6 @@ CCE-86939-6 CCE-86940-4 CCE-86941-2 CCE-86942-0 -CCE-86949-5 -CCE-86950-3 -CCE-86951-1 CCE-86952-9 CCE-86953-7 CCE-86955-2