From 257bf01f5230d9f5b90ed378c447402837c0e09e Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Wed, 14 Feb 2024 07:08:12 -0600
Subject: [PATCH] Add new rule file_permissions_sudo

---
 components/sudo.yml                           |  1 +
 controls/anssi.yml                            |  1 +
 .../sudo/file_permissions_sudo/rule.yml       | 24 +++++++++++++++++++
 shared/references/cce-redhat-avail.txt        |  3 ---
 4 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100644 linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml

diff --git a/components/sudo.yml b/components/sudo.yml
index 1af9eeb309b..baaf461f4ad 100644
--- a/components/sudo.yml
+++ b/components/sudo.yml
@@ -26,5 +26,6 @@ rules:
 - sudoers_no_command_negation
 - sudoers_no_root_target
 - sudoers_validate_passwd
+- file_permissions_sudo
 templates:
 - sudo_defaults_option
diff --git a/controls/anssi.yml b/controls/anssi.yml
index daec35f1089..c0fdf53eaa3 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -885,6 +885,7 @@ controls:
     rules:
     - sudo_dedicated_group
     - var_sudo_dedicated_group=sudogrp
+    - file_permissions_sudo
 
   - id: R39
     title: Sudo configuration guidelines
diff --git a/linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml b/linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml
new file mode 100644
index 00000000000..b56e6c17aab
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/file_permissions_sudo/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Ensure That the sudo Binary Has the Correct Permissions'
+
+description: |-
+{{{ describe_file_permissions("/usr/bin/sudo", "4111") | indent(4) }}}
+
+rationale: |-
+    The sudoers program should only be usable by people who have the correct permissions.
+
+identifiers:
+    cce@rhel7: CCE-86949-5
+    cce@rhel8: CCE-86950-3
+    cce@rhel9: CCE-86951-1
+
+severity: medium
+
+platform: package[sudo]
+
+template:
+    name: "file_permissions"
+    vars:
+        filepath: "/usr/bin/sudo"
+        filemode: '4111'
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 08e6a876d39..ab502bec716 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -509,9 +509,6 @@ CCE-86939-6
 CCE-86940-4
 CCE-86941-2
 CCE-86942-0
-CCE-86949-5
-CCE-86950-3
-CCE-86951-1
 CCE-86952-9
 CCE-86953-7
 CCE-86955-2