{"description": "Administrators can configure authorized <tt>sudo</tt> users via drop-in files, and it is possible to include\nother directories and configuration files from the file currently being parsed.\n\nMake sure that <tt>/etc/sudoers</tt> only includes drop-in configuration files from <tt>/etc/sudoers.d</tt>,\nor that no drop-in file is included.\nEither the <tt>/etc/sudoers</tt> should contain only one <tt>#includedir</tt> directive pointing to\n<tt>/etc/sudoers.d</tt>, and no file in <tt>/etc/sudoers.d/</tt> should include other files or directories;\nOr the <tt>/etc/sudoers</tt> should not contain any <tt>#include</tt>,\n<tt>@include</tt>, <tt>#includedir</tt> or <tt>@includedir</tt> directives.\nNote that the '#' character doesn't denote a comment in the configuration file.", "rationale": "Some <tt>sudo</tt> configuration options allow users to run programs without re-authenticating.\nUse of these configuration options makes it easier for one compromised account to be used to\ncompromise other accounts.", "severity": "medium", "references": {"srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the /etc/sudoers doesn't include /etc/sudores.d or includes other directories?", "ocil": "To determine whether <tt>sudo</tt> command includes configuration files from the appropriate directory,\nrun the following command:\n<pre>$ sudo grep -rP '^[#@]include(dir)?' /etc/sudoers /etc/sudoers.d</pre>\nIf only the line <tt>/etc/sudoers:#includedir /etc/sudoers.d</tt> is returned, then the drop-in include configuration is set correctly.\nAny other line returned is a finding.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure sudo only includes the default configuration directory", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/sudo/sudoers_default_includedir/rule.yml", "template": null}