{"description": "All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.\nIf the command is supposed to be executed only without arguments, pass \"\" as an argument in the corresponding user specification.", "rationale": "Any argument can modify quite significantly the behavior of a program, whether regarding the\nrealized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To\navoid any possibility of misuse of a command by a user, the ambiguities must be removed at the\nlevel of its specification.\n\nFor example, on some systems, the kernel messages are only accessible by root.\nIf a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted\nin order to prevent the user from flushing the buffer through the -c option:\n<pre>\nuser ALL = dmesg \"\"\n</pre>", "severity": "medium", "references": {"anssi": ["R43"]}, "control_references": {"anssi": ["R43"]}, "components": [], "identifiers": {}, "ocil_clause": "/etc/sudoers file contains user specifications that allow execution of commands with any arguments", "ocil": "To determine if arguments that commands can be executed with are restricted, run the following command:\n<pre>$ sudo grep -PR '^(?:\\s*[^#=]+)=(?:\\s*(?:\\([^\\)]+\\))?\\s*(?!\\s*\\()[^,\\s]+(?:[ \\t]+[^,\\s]+)+[ \\t]*,)*(\\s*(?:\\([^\\)]+\\))?\\s*(?!\\s*\\()[^,\\s]+[ \\t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/</pre>\nThe command should return no output.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments."}, {"general": "The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. For example, <code>root ALL=(ALL) echo 1\\,2</code> allows root to execute <code>echo 1,2</code>, but the check would interpret it as two commands <code>echo 1\\</code> and <code>2</code>."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[sudo]", "platforms": ["package[sudo]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_sudo"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Explicit arguments in sudo specifications", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/sudo/sudoers_explicit_command_args/rule.yml", "template": null}