Insufficient regex in rule 5.3.3 check #39
Description
Describe the Issue
The regular expression checking validity of logfile value in sudo configuration, '^Defaults logfile=/var/log/*.log' is woefully insufficient, it doesn't even match the value set by UBUNTU22-CIS remediation playbook (code from the latest release 1.4.1):
https://github.com/ansible-lockdown/UBUNTU22-CIS/blob/89821b87ed07712e611cf975757d7c4cdda06e1e/tasks/section_5/cis_5.3.x.yml#L33
- name: "5.3.3 | PATCH | Ensure sudo log file exists"
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: '^Defaults\s+logfile'
line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"'
insertafter: '^\s*Defaults'
generates the following line:
Defaults logfile="/var/log/sudo.log"
Expected Behavior
/etc/sudoers should have 1 match.
Actual Behavior
# grep -Ec '^Defaults logfile=/var/log/*.log' /etc/sudoers /etc/sudoers.d/.*/
/etc/sudoers:0
grep: /etc/sudoers.d/../: Is a directory
/etc/sudoers.d/../:0
grep: /etc/sudoers.d/./: Is a directory
/etc/sudoers.d/./:0
Control(s) Affected
CIS 5.3.3
Environment (please complete the following information):
- branch being used: benchmark-v1.0.0
- Ansible Version: 2.17.5
- Host Python Version: Python 3.10.12
- Ansible Server Python Version: Python 3.11.10
- Additional Details:
Additional Notes
This got uncovered by merging fix for #36
Possible Solution
The regular expression needs to be expanded to match at least the basic format allowed by sudoers(5), and definitely match what the remediation playbook sets.
Suggested regex as a starting point, that keeps the original intention and allows for setting flags or more detailed Defaults, double quotes around the filename, and correctly matches file name wildcard:
^Defaults(?:[@:!>]\S+)?\s+(?:\w+(?:,\s*)?)*logfile=[\"]?/var/log/.*\.log[\"]?$
It should match the value set by remediation playbook, the example from sudoers(5), etc.
Defaults@SERVERS log_year, logfile=/var/log/sudo.log