From e112b92c64eddcf699ca452474fc19730e63104e Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Mon, 10 Jul 2017 09:39:59 -0500 Subject: [PATCH] Fix grep for sudoers w/o password The grep task that looks for sudoers that have the NOPASSWD option had false positives when the line began with a space or comment character. This patch fixes the regex to account for those. Closes-Bug: 1702182 Change-Id: Iaf6e388cff1243838acd2edb02d48dda174410be --- tasks/rhel7stig/auth.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tasks/rhel7stig/auth.yml b/tasks/rhel7stig/auth.yml index 7f9b277c..194d71d5 100644 --- a/tasks/rhel7stig/auth.yml +++ b/tasks/rhel7stig/auth.yml @@ -100,8 +100,15 @@ - V-71943 - V-71945 +# NOTE(mhayden): The unusual regex here ensures that we're omitting any lines +# that are commented out. Some commented lines may be preprended with spaces, +# so we need to account for that as well. +# +# First step is to find lines with 'nopasswd' in them and then omit any of +# those lines that have a '#' as the first character or '#' as the first +# character following a space (or series of spaces). - name: Check for 'nopasswd' in sudoers files - shell: grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ || echo 'not found' + shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"' register: sudoers_nopasswd_check changed_when: False tags: