From b2295e919e4c39aa24008928f52052481225521b Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 7 May 2026 13:05:43 +0300
Subject: [PATCH 1/5] Check if non-default sed_path_separator is used and add
escape to it
Make sure the macro lineinfile_absent works ok with lines using forward slash, so the sed can work with those lines&strings
---
shared/macros/10-bash.jinja | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/shared/macros/10-bash.jinja b/shared/macros/10-bash.jinja
index 49ad72ecbb4..d4ecac19d08 100644
--- a/shared/macros/10-bash.jinja
+++ b/shared/macros/10-bash.jinja
@@ -1325,7 +1325,13 @@ fi
{{% if sed_path_separator in regex %}}
{{{ raise("regex (" + regex + ") uses sed path separator (" + sed_path_separator + ") in " + rule_id) }}}
{{% endif %}}
-LC_ALL=C sed -i "{{{ sed_path_separator }}}{{{ regex }}}{{{ sed_path_separator }}}{{{ modifier }}}" "{{{ path }}}"
+ {{%- if sed_path_separator != "/" -%}}
+ # non default delimiter with delete operation needs to be escaped
+ LC_ALL=C sed -i "\{{{ sed_path_separator }}}{{{ regex }}}{{{ sed_path_separator }}}{{{ modifier }}}" "{{{ path }}}"
+ {{%- else -%}}
+ LC_ALL=C sed -i "{{{ sed_path_separator }}}{{{ regex }}}{{{ sed_path_separator }}}{{{ modifier }}}" "{{{ path }}}"
+ {{%- endif -%}}
+
{{%- endmacro -%}}
From 4f41aa5efc1ddeedb875691addf88190ce72a037 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 7 May 2026 13:07:34 +0300
Subject: [PATCH 2/5] Add condition for sle16/slmicro6, file is missing by
default
---
shared/macros/10-ansible.jinja | 3 +++
1 file changed, 3 insertions(+)
diff --git a/shared/macros/10-ansible.jinja b/shared/macros/10-ansible.jinja
index 4ef924893f5..e868244ed52 100644
--- a/shared/macros/10-ansible.jinja
+++ b/shared/macros/10-ansible.jinja
@@ -847,6 +847,9 @@ The following macro remediates Audit syscall rule in :code:`/etc/audit/audit.rul
with_items:
- { path: /etc/sudoers }
- "{{ sudoers.files }}"
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+ when: not ansible_check_mode
+{{% endif %}}
{{%- endmacro -%}}
From d4450c23fa4206111d6b62289eb540e0d6fc44a5 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 7 May 2026 13:08:08 +0300
Subject: [PATCH 3/5] Update the template for sle16 so - if /etc/sudoers is
missing always fail the OVAL in bash,ansible remediations: - copy distro
defaults and remove @includedir /usr/etc/sudoers.d before applying real fix
---
.../sudo_defaults_option/ansible.template | 25 ++++++++++++++++++-
.../sudo_defaults_option/bash.template | 5 ++++
.../sudo_defaults_option/oval.template | 11 +++++++-
3 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/shared/templates/sudo_defaults_option/ansible.template b/shared/templates/sudo_defaults_option/ansible.template
index 608ec397ffa..3aaed64fa35 100644
--- a/shared/templates/sudo_defaults_option/ansible.template
+++ b/shared/templates/sudo_defaults_option/ansible.template
@@ -3,6 +3,20 @@
# strategy = restrict
# complexity = low
# disruption = low
+
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+{{{ ansible_copy_distro_defaults('/usr/etc/sudoers', '/etc/sudoers', rule_title=rule_title) }}}
+{{{
+ ansible_lineinfile(
+ rule_title + " - Remove /usr/etc/sudoers.d include directive from /etc/sudoers",
+ path="/etc/sudoers",
+ regex='^\s*@includedir\s+/usr/etc/sudoers.d',
+ state="absent",
+ when="not ansible_check_mode"
+ )
+}}}
+{{% endif %}}
+
{{% if VARIABLE_NAME %}}
{{{ ansible_instantiate_variables(VARIABLE_NAME) }}}
- name: Ensure {{{ OPTION }}} is enabled with the appropriate value in /etc/sudoers
@@ -13,13 +27,19 @@
validate: /usr/sbin/visudo -cf %s
backrefs: yes
register: edit_sudoers_{{{ OPTION }}}_option
-
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+ when: not ansible_check_mode
+{{% endif %}}
- name: Enable {{{ OPTION }}} option with appropriate value in /etc/sudoers
ansible.builtin.lineinfile: # noqa 503
path: /etc/sudoers
line: 'Defaults {{{ OPTION }}}={{ {{{ VARIABLE_NAME }}} }}'
validate: /usr/sbin/visudo -cf %s
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+ when: not ansible_check_mode and edit_sudoers_{{{ OPTION }}}_option is defined and not edit_sudoers_{{{ OPTION }}}_option.changed
+{{% else %}}
when: edit_sudoers_{{{ OPTION }}}_option is defined and not edit_sudoers_{{{ OPTION }}}_option.changed
+{{% endif %}}
{{% else %}}
- name: Ensure {{{ OPTION }}} is enabled in /etc/sudoers
ansible.builtin.lineinfile:
@@ -27,4 +47,7 @@
regexp: '^[\s]*Defaults.*\b{{{ OPTION }}}\b.*$'
line: 'Defaults {{{ OPTION }}}'
validate: /usr/sbin/visudo -cf %s
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+ when: not ansible_check_mode
+{{% endif %}}
{{% endif %}}
diff --git a/shared/templates/sudo_defaults_option/bash.template b/shared/templates/sudo_defaults_option/bash.template
index 67b600228b1..ae1afe7cc6a 100644
--- a/shared/templates/sudo_defaults_option/bash.template
+++ b/shared/templates/sudo_defaults_option/bash.template
@@ -7,6 +7,11 @@
{{{ bash_instantiate_variables(VARIABLE_NAME) }}}
{{% endif %}}
+
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+{{{ bash_copy_distro_defaults("/usr/etc/sudoers", "/etc/sudoers") }}}
+{{{ lineinfile_absent("/etc/sudoers", "^\s*@includedir\s*/usr/etc/sudoers\.d", sed_path_separator="#", rule_id=rule_id) }}}
+{{% endif %}}
if /usr/sbin/visudo -qcf /etc/sudoers; then
cp /etc/sudoers /etc/sudoers.bak
if ! grep -P '^[\s]*Defaults\b[^!\n]*\b{{{ OPTION_REGEX }}}.*$' /etc/sudoers; then
diff --git a/shared/templates/sudo_defaults_option/oval.template b/shared/templates/sudo_defaults_option/oval.template
index 59a2a001e9a..ae99a13560f 100644
--- a/shared/templates/sudo_defaults_option/oval.template
+++ b/shared/templates/sudo_defaults_option/oval.template
@@ -1,7 +1,12 @@
{{{ oval_metadata("Checks sudoers Defaults " + OPTION + " configuration", rule_title=rule_title) }}}
-
+
+ {{% if product in [ 'sle16', 'slmicro6' ] %}}
+
+ {{% endif %}}
@@ -24,4 +29,8 @@
{{% endif %}}
+ {{% if product in [ 'sle16', 'slmicro6' ] %}}
+ {{{ oval_config_file_exists_test('/etc/sudoers', rule_id=rule_id) }}}
+ {{{ oval_config_file_exists_object('/etc/sudoers', rule_id=rule_id) }}}
+ {{% endif %}}
From 106af1e7d399fec214955fcbd142e2373627cb48 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 7 May 2026 13:11:10 +0300
Subject: [PATCH 4/5] Make sure we use sudo_defaults_option implementation and
add relevant tests
---
.../sudo_add_noexec/tests/etc_sudoers.missing.fail.sh | 8 ++++++++
.../sudo/sudo_add_noexec/tests/noexec_absent.fail.sh | 3 +++
.../sudo/sudo_add_noexec/tests/noexec_enabled_dir.pass.sh | 3 +++
.../sudo_add_use_pty/tests/etc_sudoers_missing.fail.sh | 8 ++++++++
.../sudo/sudo_add_use_pty/tests/use_pty_absent.fail.sh | 3 +++
.../sudo/sudo_add_use_pty/tests/use_pty_disabled.fail.sh | 3 +++
.../sudo_add_use_pty/tests/use_pty_enabled_dir.pass.sh | 3 +++
.../sudo_custom_logfile/tests/etc_sudoers_missing.fail.sh | 8 ++++++++
.../sudo/sudo_custom_logfile/tests/logfile_absent.fail.sh | 3 +++
.../sudo_custom_logfile/tests/logfile_enabled_dir.pass.sh | 3 +++
10 files changed, 45 insertions(+)
create mode 100644 linux_os/guide/system/software/sudo/sudo_add_noexec/tests/etc_sudoers.missing.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/etc_sudoers_missing.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/etc_sudoers_missing.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_add_noexec/tests/etc_sudoers.missing.fail.sh b/linux_os/guide/system/software/sudo/sudo_add_noexec/tests/etc_sudoers.missing.fail.sh
new file mode 100644
index 00000000000..398d45e1fad
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_add_noexec/tests/etc_sudoers.missing.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+if [ -e "/etc/sudoers" ] ; then
+ rm "/etc/sudoers"
+fi
+echo "Defaults noexec" >> /etc/sudoers.d/enable_noexec
diff --git a/linux_os/guide/system/software/sudo/sudo_add_noexec/tests/noexec_absent.fail.sh b/linux_os/guide/system/software/sudo/sudo_add_noexec/tests/noexec_absent.fail.sh
index ad54d80ce09..a0dbeee7487 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_noexec/tests/noexec_absent.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_add_noexec/tests/noexec_absent.fail.sh
@@ -2,6 +2,9 @@
# platform = multi_platform_all
touch /etc/sudoers.d/empty
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
# Code taken from macro bash_sudo_remove_config()
for f in /etc/sudoers /etc/sudoers.d/*; do
if [ ! -e "$f" ]; then
diff --git a/linux_os/guide/system/software/sudo/sudo_add_noexec/tests/noexec_enabled_dir.pass.sh b/linux_os/guide/system/software/sudo/sudo_add_noexec/tests/noexec_enabled_dir.pass.sh
index 105c1ccffbe..531ceeec755 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_noexec/tests/noexec_enabled_dir.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudo_add_noexec/tests/noexec_enabled_dir.pass.sh
@@ -1,4 +1,7 @@
#!/bin/bash
# platform = multi_platform_all
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
echo "Defaults noexec" >> /etc/sudoers.d/enable_noexec
diff --git a/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/etc_sudoers_missing.fail.sh b/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/etc_sudoers_missing.fail.sh
new file mode 100644
index 00000000000..b3b172f6a0e
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/etc_sudoers_missing.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+if [ -e "/etc/sudoers" ] ; then
+ rm "/etc/sudoers"
+fi
+echo "Defaults use_pty" >> /etc/sudoers.d/enable_use_pty
diff --git a/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_absent.fail.sh b/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_absent.fail.sh
index df6bb677d20..7fd1f3e5709 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_absent.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_absent.fail.sh
@@ -3,6 +3,9 @@
# packages = sudo
touch /etc/sudoers.d/empty
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
# Code taken from macro bash_sudo_remove_config()
for f in /etc/sudoers /etc/sudoers.d/*; do
[ -e "$f" ] || continue
diff --git a/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_disabled.fail.sh b/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_disabled.fail.sh
index 774b96c1b84..1b1047b03d9 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_disabled.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_disabled.fail.sh
@@ -2,5 +2,8 @@
# platform = multi_platform_all
# packages = sudo
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
sed '/Defaults.*use_pty/ s/.*/#&/g' -i /etc/sudoers /etc/sudoers.d/*
echo "Defaults !use_pty" >> /etc/sudoers.d/enable_use_pty
diff --git a/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_enabled_dir.pass.sh b/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_enabled_dir.pass.sh
index ae0ca71f93d..0f8a07ca0ba 100644
--- a/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_enabled_dir.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudo_add_use_pty/tests/use_pty_enabled_dir.pass.sh
@@ -2,4 +2,7 @@
# platform = multi_platform_all
# packages = sudo
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
echo "Defaults use_pty" >> /etc/sudoers.d/enable_use_pty
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/etc_sudoers_missing.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/etc_sudoers_missing.fail.sh
new file mode 100644
index 00000000000..599ed44ff52
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/etc_sudoers_missing.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+if [ -e "/etc/sudoers" ] ; then
+ rm "/etc/sudoers"
+fi
+echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers.d/enable_logfile
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/logfile_absent.fail.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/logfile_absent.fail.sh
index 4e67eab5cdb..fff1df2ff96 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/logfile_absent.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/logfile_absent.fail.sh
@@ -3,6 +3,9 @@
# packages = sudo
touch /etc/sudoers.d/empty
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
# Code taken from macro bash_sudo_remove_config()
for f in /etc/sudoers /etc/sudoers.d/*; do
if [ ! -e "$f" ]; then
diff --git a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/logfile_enabled_dir.pass.sh b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/logfile_enabled_dir.pass.sh
index 644d08eb6a3..0866ec887ed 100644
--- a/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/logfile_enabled_dir.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudo_custom_logfile/tests/logfile_enabled_dir.pass.sh
@@ -2,4 +2,7 @@
# platform = multi_platform_all
# packages = sudo
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers.d/enable_logfile
From fe209e3f577282d7c34228c79d3f53d4ee7db2ea Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
<315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 7 May 2026 13:13:34 +0300
Subject: [PATCH 5/5] added same fixes as sudo_defaults_option template and
modified/added tests
---
.../ansible/shared.yml | 13 +++++++++++
.../bash/shared.sh | 4 ++++
.../oval/shared.xml | 9 ++++++++
.../authenticate_disabled_include_dir.fail.sh | 6 +++++
.../tests/etc_sudoers_missing.fail.sh | 8 +++++++
.../tests/nopasswd_include_dir.fail.sh | 6 +++++
.../ansible/shared.yml | 22 +++++++++++++++++++
.../bash/shared.sh | 7 +++++-
.../oval/shared.xml | 15 ++++++++++---
.../tests/correct_value_1.pass.sh | 3 +++
.../tests/correct_value_4.pass.sh | 3 +++
.../tests/correct_value_7.pass.sh | 3 +++
.../tests/correct_value_8.pass.sh | 3 +++
.../tests/correct_value_with_spaces_2.pass.sh | 3 +++
.../tests/etc_sudoers_missing.fail.sh | 8 +++++++
.../tests/missing_value.fail.sh | 3 +++
.../tests/missing_value_1.fail.sh | 3 +++
.../tests/wrong_value_1.fail.sh | 3 +++
.../oval/shared.xml | 9 ++++++++
.../tests/etc_sudoers_missing.fail.sh | 9 ++++++++
20 files changed, 136 insertions(+), 4 deletions(-)
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/authenticate_disabled_include_dir.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/etc_sudoers_missing.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_authentication/tests/nopasswd_include_dir.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/etc_sudoers_missing.fail.sh
create mode 100644 linux_os/guide/system/software/sudo/sudoers_no_command_negation/tests/etc_sudoers_missing.fail.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml
index e5e00c5715e..d402ee5e09c 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/ansible/shared.yml
@@ -4,6 +4,19 @@
# complexity = low
# disruption = low
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+{{{ ansible_copy_distro_defaults('/usr/etc/sudoers', '/etc/sudoers', rule_title=rule_title) }}}
+{{{
+ ansible_lineinfile(
+ rule_title + " - Remove /usr/etc/sudoers.d include directive from /etc/sudoers",
+ path="/etc/sudoers",
+ regex='^\s*@includedir\s+/usr/etc/sudoers.d',
+ state="absent",
+ when="not ansible_check_mode"
+ )
+}}}
+{{% endif %}}
+
{{{ ansible_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
{{{ ansible_sudo_remove_config("!authenticate", "\!authenticate") }}}
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh
index 92883b92f31..fdcbedcd72e 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/bash/shared.sh
@@ -4,6 +4,10 @@
# complexity = low
# disruption = low
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+{{{ bash_copy_distro_defaults("/usr/etc/sudoers", "/etc/sudoers") }}}
+{{{ lineinfile_absent("/etc/sudoers", "^\s*@includedir\s*/usr/etc/sudoers\.d", sed_path_separator="#", rule_id=rule_id) }}}
+{{% endif %}}
{{{ bash_sudo_remove_config("NOPASSWD", "NOPASSWD[\s]*\:") }}}
{{{ bash_sudo_remove_config("!authenticate", "\!authenticate") }}}
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_authentication/oval/shared.xml
index f30ce938fea..2aa4cc66782 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_authentication/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/oval/shared.xml
@@ -4,6 +4,15 @@
+ {{% if product in [ 'sle16', 'slmicro6' ] %}}
+
+ {{% endif %}}
+ {{% if product in [ 'sle16', 'slmicro6' ] %}}
+ {{{ oval_config_file_exists_test('/etc/sudoers', rule_id=rule_id) }}}
+ {{{ oval_config_file_exists_object('/etc/sudoers', rule_id=rule_id) }}}
+ {{% endif %}}
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/authenticate_disabled_include_dir.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/authenticate_disabled_include_dir.fail.sh
new file mode 100644
index 00000000000..95218b2f07e
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/authenticate_disabled_include_dir.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+touch /etc/sudoers
+echo "Defaults !authenticate" > /etc/sudoers.d/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/etc_sudoers_missing.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/etc_sudoers_missing.fail.sh
new file mode 100644
index 00000000000..640f2c58627
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/etc_sudoers_missing.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+if [ -e "/etc/sudoers" ] ; then
+ rm "/etc/sudoers"
+fi
+echo "Defaults authenticate" > /etc/sudoers.d/authenticate
diff --git a/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/nopasswd_include_dir.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/nopasswd_include_dir.fail.sh
new file mode 100644
index 00000000000..445faf103e1
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_authentication/tests/nopasswd_include_dir.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+touch /etc/sudoers
+echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
index 7a9b0222c4a..83941c804e7 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/ansible/shared.yml
@@ -6,6 +6,19 @@
{{{ ansible_instantiate_variables("var_sudo_timestamp_timeout") }}}
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+{{{ ansible_copy_distro_defaults('/usr/etc/sudoers', '/etc/sudoers', rule_title=rule_title) }}}
+{{{
+ ansible_lineinfile(
+ rule_title + " - Remove /usr/etc/sudoers.d include directive from /etc/sudoers",
+ path="/etc/sudoers",
+ regex='^\s*@includedir\s+/usr/etc/sudoers.d',
+ state="absent",
+ when="not ansible_check_mode"
+ )
+}}}
+{{% endif %}}
+
- name: "{{{ rule_title }}} - Find /etc/sudoers.d/* files containing 'Defaults timestamp_timeout'"
ansible.builtin.find:
path: "/etc/sudoers.d"
@@ -28,15 +41,24 @@
validate: /usr/sbin/visudo -cf %s
backrefs: yes
register: edit_sudoers_timestamp_timeout_option
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+ when: not ansible_check_mode
+{{% endif %}}
- name: "{{{ rule_title }}} - Enable timestamp_timeout option with correct value in /etc/sudoers"
ansible.builtin.lineinfile: # noqa 503
path: /etc/sudoers
line: 'Defaults timestamp_timeout={{ var_sudo_timestamp_timeout }}'
validate: /usr/sbin/visudo -cf %s
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+ when: >
+ not ansible_check_mode and edit_sudoers_timestamp_timeout_option is defined and
+ not edit_sudoers_timestamp_timeout_option.changed
+{{% else %}}
when: >
edit_sudoers_timestamp_timeout_option is defined and
not edit_sudoers_timestamp_timeout_option.changed
+{{% endif %}}
- name: "{{{ rule_title }}} - Remove timestamp_timeout wrong values in /etc/sudoers"
ansible.builtin.lineinfile:
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
index 4a5d5cb1f03..b9292fdf9df 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/bash/shared.sh
@@ -7,6 +7,11 @@
{{{ bash_instantiate_variables("var_sudo_timestamp_timeout") }}}
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+{{{ bash_copy_distro_defaults("/usr/etc/sudoers", "/etc/sudoers") }}}
+{{{ lineinfile_absent("/etc/sudoers", "^\s*@includedir\s*/usr/etc/sudoers\.d", sed_path_separator="#", rule_id=rule_id) }}}
+{{% endif %}}
+
if grep -Px '^[\s]*Defaults.*timestamp_timeout[\s]*=.*' /etc/sudoers.d/*; then
find /etc/sudoers.d/ -type f -exec sed -Ei "/^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=.*/d" {} \;
fi
@@ -22,7 +27,7 @@ if /usr/sbin/visudo -qcf /etc/sudoers; then
sed -Ei "s/(^[[:blank:]]*Defaults.*timestamp_timeout[[:blank:]]*=)[[:blank:]]*[-]?\w+(.*$)/\1${var_sudo_timestamp_timeout}\2/" /etc/sudoers
fi
fi
-
+
# Check validity of sudoers and cleanup bak
if /usr/sbin/visudo -qcf /etc/sudoers; then
rm -f /etc/sudoers.bak
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
index a0654aa4747..f524f270c56 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/oval/shared.xml
@@ -4,6 +4,11 @@
+ {{% if product in [ 'sle16', 'slmicro6' ] %}}
+
+ {{% endif %}}
@@ -18,14 +23,18 @@
- ^\/etc\/(sudoers|sudoers\.d\/.*)$
+ ^\/etc\/(sudoers|sudoers\.d\/.*)$
^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[+]?(\d*\.\d+|\d+\.\d*|\d+)$
1
- ^\/etc\/(sudoers|sudoers\.d\/.*)$
+ ^\/etc\/(sudoers|sudoers\.d\/.*)$
^[\s]*Defaults[\s]+timestamp_timeout[\s]*=\s*[\-](\d*\.\d+|\d+\.\d*|\d+)$
1
-
+
+ {{% if product in [ 'sle16', 'slmicro6' ] %}}
+ {{{ oval_config_file_exists_test('/etc/sudoers', rule_id=rule_id) }}}
+ {{{ oval_config_file_exists_object('/etc/sudoers', rule_id=rule_id) }}}
+ {{% endif %}}
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_1.pass.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_1.pass.sh
index 6f22042299c..c075a558985 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_1.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_1.pass.sh
@@ -1,6 +1,9 @@
#!/bin/bash
# packages = sudo
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
# Remove Defaults timestamp_timeout from sudoers
if grep -q 'timestamp_timeout' /etc/sudoers; then
sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_4.pass.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_4.pass.sh
index b85aa320945..921f4b73dce 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_4.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_4.pass.sh
@@ -1,6 +1,9 @@
#!/bin/bash
# packages = sudo
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
# Remove Defaults timestamp_timeout from sudoers
if grep -q 'timestamp_timeout' /etc/sudoers; then
sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_7.pass.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_7.pass.sh
index ca06721f40b..a0490063068 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_7.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_7.pass.sh
@@ -1,6 +1,9 @@
#!/bin/bash
# packages = sudo
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
# Remove Defaults timestamp_timeout from sudoers
if grep -q 'timestamp_timeout' /etc/sudoers; then
sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_8.pass.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_8.pass.sh
index 813d04fe2f1..afc6c8e2af0 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_8.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_8.pass.sh
@@ -1,6 +1,9 @@
#!/bin/bash
# packages = sudo
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
# Remove Defaults timestamp_timeout from sudoers
if grep -q 'timestamp_timeout' /etc/sudoers; then
sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_with_spaces_2.pass.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_with_spaces_2.pass.sh
index 18abae85b0c..c4a5ee2dd23 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_with_spaces_2.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/correct_value_with_spaces_2.pass.sh
@@ -1,6 +1,9 @@
#!/bin/bash
# packages = sudo
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
# Remove Defaults timestamp_timeout from sudoers
if grep -q 'timestamp_timeout' /etc/sudoers; then
sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/etc_sudoers_missing.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/etc_sudoers_missing.fail.sh
new file mode 100644
index 00000000000..d12750f8695
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/etc_sudoers_missing.fail.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+
+if [ -e "/etc/sudoers" ] ; then
+ rm "/etc/sudoers"
+fi
+echo "Defaults timestamp_timeout=3" >> /etc/sudoers.d/00-complianceascode-test.conf
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/missing_value.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/missing_value.fail.sh
index faedbd64ac7..2b8632b71c2 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/missing_value.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/missing_value.fail.sh
@@ -1,6 +1,9 @@
#!/bin/bash
# packages = sudo
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
if grep -q 'timestamp_timeout' /etc/sudoers; then
sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
fi
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/missing_value_1.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/missing_value_1.fail.sh
index 1b5e460ae74..219502541ca 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/missing_value_1.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/missing_value_1.fail.sh
@@ -1,6 +1,9 @@
#!/bin/bash
# packages = sudo
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
# Remove Defaults timestamp_timeout from /etc/sudoers
if grep -q 'timestamp_timeout' /etc/sudoers; then
sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/wrong_value_1.fail.sh b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/wrong_value_1.fail.sh
index 06ca6cd0cbf..36988997069 100644
--- a/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/wrong_value_1.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_require_reauthentication/tests/wrong_value_1.fail.sh
@@ -1,6 +1,9 @@
#!/bin/bash
# packages = sudo
+{{% if product in [ 'sle16', 'slmicro6' ] %}}
+touch /etc/sudoers
+{{% endif %}}
# Remove Defaults timestamp_timeout from sudoers
if grep -q 'timestamp_timeout' /etc/sudoers; then
sed -i '/.*timestamp_timeout.*/d' /etc/sudoers
diff --git a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/oval/shared.xml b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/oval/shared.xml
index 56d10458aa2..d9dc20314df 100644
--- a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/oval/shared.xml
@@ -3,6 +3,11 @@
{{{ oval_metadata("Check that sudoers doesn't contain command negations", rule_title=rule_title) }}}
+ {{% if product in [ 'sle16', 'slmicro6' ] %}}
+
+ {{% endif %}}
@@ -23,4 +28,8 @@
^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).*
1
+ {{% if product in [ 'sle16', 'slmicro6' ] %}}
+ {{{ oval_config_file_exists_test('/etc/sudoers', rule_id=rule_id) }}}
+ {{{ oval_config_file_exists_object('/etc/sudoers', rule_id=rule_id) }}}
+ {{% endif %}}
diff --git a/linux_os/guide/system/software/sudo/sudoers_no_command_negation/tests/etc_sudoers_missing.fail.sh b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/tests/etc_sudoers_missing.fail.sh
new file mode 100644
index 00000000000..5f6b8de8098
--- /dev/null
+++ b/linux_os/guide/system/software/sudo/sudoers_no_command_negation/tests/etc_sudoers_missing.fail.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# platform = SUSE Linux Enterprise 16
+# packages = sudo
+# remediation = none
+
+if [ -e "/etc/sudoers" ] ; then
+ rm "/etc/sudoers"
+fi
+echo 'nobody ALL=/bin/ls, (bob !alice) /bin/dog, /bin/cat !arg' > /etc/sudoers.d/foo