SLEM 5 must specify the default "include" directory for the /etc/sudoers file.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-261376	SRG-OS-000480-GPOS-00227	SLEM-05-432030	SV-261376r996564_rule	2024-06-04	1

Description
The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without reauthenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. It is possible to include other sudoers files from within the sudoers file currently being parsed using the @include and @includedir directives. For compatibility with sudo versions prior to 1.9.1, #include and #includedir are also accepted. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.

Description

The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without reauthenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. It is possible to include other sudoers files from within the sudoers file currently being parsed using the @include and @includedir directives. For compatibility with sudo versions prior to 1.9.1, #include and #includedir are also accepted. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) is reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.

ℹ️ Check
Verify SLEM 5 specifies only the default "include" directory for the /etc/sudoers file, and does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: Note: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. > sudo find /etc/sudoers /etc/sudoers.d -type f -exec grep -H "[#@]include" {} + /etc/sudoers:@includedir /etc/sudoers.d If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding.

ℹ️ Check

Verify SLEM 5 specifies only the default "include" directory for the /etc/sudoers file, and does not have nested "include" files or directories within the /etc/sudoers.d directory with the following command: Note: If the "include" and "includedir" directives are not present in the /etc/sudoers file, this requirement is not applicable. > sudo find /etc/sudoers /etc/sudoers.d -type f -exec grep -H "[#@]include" {} + /etc/sudoers:@includedir /etc/sudoers.d If the results are not "/etc/sudoers.d" or additional files or directories are specified, this is a finding.

✔️ Fix
Configure the "/etc/sudoers" file to only include the "/etc/sudoers.d" directory. Add or modify the following line: @includedir /etc/sudoers.d Remove any nested includes under the "/etc/sudoers.d" directory.