Ensure Sudo Logfile Exists - sudo logfile
Description
A custom log sudo file can be configured with the ’logfile’ tag. This rule configures
a sudo custom logfile at the default location suggested by CIS, which uses
/var/log/sudo.log.
Rationale
A sudo log file simplifies auditing of sudo commands.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'sudo' 2>/dev/null | grep -q installed; then
var\_sudo\_logfile=''
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]\*Defaults[\s]\*\blogfile=("(?:\\"|\\\\|[^"\\\n])\*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])\*)\b)\b.\*$' /etc/sudoers; then
# sudoers file doesn't define Option logfile
echo "Defaults logfile=${var\_sudo\_logfile}" >> /etc/sudoers
else
# sudoers file defines Option logfile, remediate if appropriate value is not set
if ! grep -P "^[\s]\*Defaults.\*\blogfile=${var\_sudo\_logfile}\b.\*$" /etc/sudoers; then
escaped\_variable=${var\_sudo\_logfile//$'/'/$'\/'}
sed -Ei "s/(^[\s]\*Defaults.\*\blogfile=)[-]?.+(\b.\*$)/\1$escaped\_variable\2/" /etc/sudoers
fi
fi
# Check validity of sudoers and cleanup bak
if /usr/sbin/visudo -qcf /etc/sudoers; then
rm -f /etc/sudoers.bak
else
echo "Fail to validate remediated /etc/sudoers, reverting to original file."
mv /etc/sudoers.bak /etc/sudoers
false
fi
else
echo "Skipping remediation, /etc/sudoers failed to validate"
false
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package\_facts:
manager: auto
tags:
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2.1.5
- low\_complexity
- low\_disruption
- low\_severity
- no\_reboot\_needed
- restrict\_strategy
- sudo\_custom\_logfile
- name: XCCDF Value var\_sudo\_logfile # promote to variable
set\_fact:
var\_sudo\_logfile: !!str
tags:
- always
- name: Ensure logfile is enabled with the appropriate value in /etc/sudoers
lineinfile:
path: /etc/sudoers
regexp: ^[\s]\*Defaults\s(.\*)\blogfile=[-]?.+\b(.\*)$
line: Defaults \1logfile={{ var\_sudo\_logfile }}\2
validate: /usr/sbin/visudo -cf %s
backrefs: true
register: edit\_sudoers\_logfile\_option
when: '"sudo" in ansible\_facts.packages'
tags:
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2.1.5
- low\_complexity
- low\_disruption
- low\_severity
- no\_reboot\_needed
- restrict\_strategy
- sudo\_custom\_logfile
- name: Enable logfile option with appropriate value in /etc/sudoers
lineinfile:
path: /etc/sudoers
line: Defaults logfile={{ var\_sudo\_logfile }}
validate: /usr/sbin/visudo -cf %s
when:
- '"sudo" in ansible\_facts.packages'
- edit\_sudoers\_logfile\_option is defined and not edit\_sudoers\_logfile\_option.changed
tags:
- PCI-DSS-Req-10.2.5
- PCI-DSSv4-10.2.1.5
- low\_complexity
- low\_disruption
- low\_severity
- no\_reboot\_needed
- restrict\_strategy
- sudo\_custom\_logfile
