{"description": "Policies applied by sudo through the sudoers file should not involve negation.\n\nEach user specification in the <code>sudoers</code> file contains a comma-delimited list of command specifications.\nThe definition can make use glob patterns, as well as of negations.\nIndirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.", "rationale": "Specifying access right using negation is inefficient and can be easily circumvented.\nFor example, it is expected that a specification like <pre>\n# To avoid absolutely , this rule can be easily circumvented!\nuser ALL = ALL ,!/ bin/sh\n</pre> prevents the execution of the shell\nbut that\u2019s not the case: just copy the binary <code>/bin/sh</code> to a different name to make it executable\nagain through the rule keyword <code>ALL</code>.", "severity": "medium", "references": {"anssi": ["R42"]}, "control_references": {"anssi": ["R42"]}, "components": [], "identifiers": {}, "ocil_clause": "/etc/sudoers file contains rules that define the set of allowed commands using negation", "ocil": "To determine if negation is used to define commands users are allowed to execute using <tt>sudo</tt>, run the following command:\n<pre>$ sudo grep -PR '^(?:\\s*[^#=]+)=(?:\\s*(?:\\([^\\)]+\\))?\\s*(?!\\s*\\()[^,!\\n][^,\\n]+,)*\\s*(?:\\([^\\)]+\\))?\\s*(?!\\s*\\()(!\\S+).*' /etc/sudoers /etc/sudoers.d/</pre>\nThe command should return no output.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[sudo]", "platforms": ["package[sudo]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_sudo"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Don't define allowed commands in sudoers by means of exclusion", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/sudo/sudoers_no_command_negation/rule.yml", "template": null}