openstack
/
ansible-hardening
Code Issues Proposed changes

Fix grep for sudoers w/o password 

The grep task that looks for sudoers that have the NOPASSWD option
had false positives when the line began with a space or comment
character. This patch fixes the regex to account for those.

Closes-Bug: 1702182
Change-Id: Iaf6e388cff1243838acd2edb02d48dda174410be
This commit is contained in:
Major Hayden 2017-07-10 09:39:59 -05:00
parent ff7d7668df
commit e112b92c64
No known key found for this signature in database
GPG Key ID: 737051E0C1011FB1
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
tasks/rhel7stig/auth.yml
View File

@ -100,8 +100,15 @@
- V-71943
- V-71945
# NOTE(mhayden): The unusual regex here ensures that we're omitting any lines
# that are commented out. Some commented lines may be preprended with spaces,
# so we need to account for that as well.
#
# First step is to find lines with 'nopasswd' in them and then omit any of
# those lines that have a '#' as the first character or '#' as the first
# character following a space (or series of spaces).
- name: Check for 'nopasswd' in sudoers files
shell: grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ || echo 'not found'
shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"'
register: sudoers_nopasswd_check
changed_when: False
tags: