Professional Documents
Culture Documents
Kynlmprmon01 04212022-115554
Kynlmprmon01 04212022-115554
Thu, 21 Apr 2022 11:55 (Eastern Standard Time) Thu, 21 Apr 2022 15:55 (UTC)
Server :
kynlmprmon01(10.28.20.234)
OS :
Linux
Policy :
SUDO-UNIX-CSD-4.0C
copyright © IBM 2018 , portions copyright © Free Software Foundation, Inc.(http://fsf.org/) , 2007
SUMMARY
RULE DETAILS
RuleID :1 (Compliant)
➣ Logging_SUDO_Log_File_Exists.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=Logging/SUDO Log File Exists
description=ZY.1.2.2 Sudo-specific Log File. If a sudo-specific log file is used, the
file must exist
priority=normal
expected=
Back to SUMMARY
RuleID : 2 (Compliant)
➣ Logging_SUDO_Logging_Enabled.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=Logging/SUDO Logging Enabled
description=ZY.1.2.1 Sudo Logging, must not be disabled. The following is NOT allowed
in the sudo configuration file: !logfile
priority=normal
expected=
Back to SUMMARY
RuleID : 3 (Compliant)
➣ System_Controls_SUDO_ALL_Access_Allowed.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=System Controls/SUDO ALL Access Allowed
description=ZY.1.4.3.3 Preventing Nested Sudo invocation. The sudo configuration file
must prevent users from using sudo to invoke sudo. The following must be the last
effective line in the sudo configuration file: ALL ALL=!SUDOSUDO.
priority=normal
expected=
Back to SUMMARY
RuleID : 4 (Compliant)
➣ System_Controls_SUDO_Commands_Allowing_Shell_Escape_NOEXEC.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=System Controls/SUDO Commands Allowing Shell Escape NOEXEC
description=ZY.1.4.2.0, ZY.1.4.2.1, ZY.1.4.2.2 Commands which allow shell escape.
Verifies SUDO commands allowing Shell Escape have NOEXEC function implemented.
priority=normal
expected=
Back to SUMMARY
RuleID : 5 (Compliant)
➣ System_Controls_SUDO_EnvFile.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=System Controls/SUDO EnvFile
description=The sudo configuration file must contain the statement Defaults
env_file=/etc/sudo.env. The sudo environment control file /etc/sudo.env must contain
the entries: SMIT_SHELL=n SMIT_SEMI_COLON=n SMIT_QUOTE=n /etc/sudo.env file's content
should be checked manually.
priority=normal
expected=
Back to SUMMARY
RuleID : 7 (Compliant)
➣ protecting_Resources-OSRs_SUDO_Command_Group_Permissions.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=protecting Resources-OSRs/SUDO Command Group Permissions
description=ZY.1.8.2.3 Protection requirements for system facility entries executing
with privilege authority. Each active entry's file/command/script executed, and all
existing directories in its path, must have settings for "group" of r-x or more
stringent, if owned by groups considered to be default groups for general users.
priority=normal
expected=Builtin Commands='sudoedit'
Back to SUMMARY
RuleID : 8 (Compliant)
➣ protecting_Resources-OSRs_SUDO_Command_WW_Permissions.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=protecting Resources-OSRs/SUDO Command WW Permissions
description=ZY.1.8.2.2 Protection requirements for system facility entries executing
with privilege authority. Each active entry's file/command/script executed, and all
directories in its path, must have settings for "other" of r-x or more stringent.
priority=normal
expected=AIX
directories='/usr/sbin','/usr/etc','/usr','/usr/share','/var/adm','/usr/share/dict','/e
tc/locks','/etc/security','/','/etc','/bin','/usr/bin','/tmp','/var/tmp','/var':Linux
directories='/etc','/var','/usr','/var/log','/var/tmp','/':Solaris
directories='/platform','/sbin','/usr/sbin','/usr/bin','/var/log','/var/adm','/bin','/e
tc','/kernel','/lib':Builtin Commands='sudoedit'
Back to SUMMARY
RuleID : 9 (Compliant)
➣ protecting_Resources-OSRs_SUDO_Config_File_Ownership.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=protecting Resources-OSRs/SUDO Config File Ownership
description=ZY.1.8.1 Sudo configuration file File must be owned by root, and must not
be world-writable.
priority=normal
expected=
Back to SUMMARY
RuleID : 10 (Compliant)
➣ protecting_Resources-OSRs_SUDO_Config_File_Permissions.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=protecting Resources-OSRs/SUDO Config File Permissions
description=ZY.1.8.1 Sudo configuration file File must be owned by root, and must not
be world-writable.
priority=normal
expected=
Back to SUMMARY
RuleID : 11 (Compliant)
➣ protecting_Resources-OSRs_SUDO_Env_File_Restriction.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=protecting Resources-OSRs/SUDO Env File Restriction
description=Any file referenced by a env_file directive in the /etc/sudoers Each file
named must be owned by root, have 'group' which is one of the OS accepted OSR groups,
and and must not be world writable.
priority=normal
expected=AIX Privileged
Groups='system','uucp','adm','audit','bin','cron','ecs','hacmp','haemrm','imnadm','ipse
c','ldap','Ip','mail','pconsole','printq','security','shutdown','snapp','sys':Solaris
Privileged
Groups='mail','smmsp','root','adm','bin','cimsrvr','daemon','ftp','gdm','imnadm','lp','
mysql','netadm','nuucp','openldap','pkg5srv','postgres','slocate','sms','sys','sysadmin
','tty','upnp','uucp','webservd','xvm':HPUX Privileged
Groups='adm','bin','cimsrvr','daemon','imnadm','lp','mail','nogroup','nuucp','root','sy
s','tty'
Back to SUMMARY
RuleID :12 (Non Compliant)
➣ protecting_Resources-OSRs_SUDO_Full_Path_Restriction
Full path must be used in /etc/sudoers.d/123_AE_GLB for: IBM_NONE_EDITOR (Cmnd_alias: )
Full path must be used in /etc/sudoers.d/123_AE_GLB for: IBM_NONE_SA (Cmnd_alias: )
Full path must be used in /etc/sudoers.d/123_AE_GLB for: IBM_SHELLESCAPE_ALL
(Cmnd_alias: )
Full path must be used in /etc/sudoers.d/123_AE_GLB for: IBM_SHELLS_ALL (Cmnd_alias:
IBM_UNIX_AE_BAU_CMDS)
Full path must be used in /etc/sudoers for: SUDOSUDO (Cmnd_alias: )
➣ protecting_Resources-OSRs_SUDO_Full_Path_Restriction.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=protecting Resources-OSRs/SUDO Full Path Restriction
description=ZY.1.8.2.1 Protection requirements for system facility entries executing
with privilege authority. Each active entry must specify full path of the
file/command/script to be executed.
priority=normal
expected=Builtin Commands='sudoedit'
Back to SUMMARY
RuleID : 13 (Compliant)
➣ protecting_Resources-OSRs_SUDO_Includedir_Full_Path_Restriction.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=protecting Resources-OSRs/SUDO Includedir Full Path Restriction
description=Each file named must specify the full path of the included file.
priority=normal
expected=Builtin Commands='sudoedit'
Back to SUMMARY
RuleID : 14 (Compliant)
➣ protecting_Resources-OSRs_SUDO_Includedir_Ownership.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=protecting Resources-OSRs/SUDO Includedir Ownership
description=Each directory and file which is not an OS OSR must be owned by root and
have permissions of 700. OS OSR may be owned and with permissions as allowed by the OS
OSR requirements.
priority=normal
expected=
Back to SUMMARY
RuleID : 15 (Compliant)
➣ protecting_Resources-OSRs_SUDO_Includedir_Perms.rule
[metadata]
policy=SUDO-UNIX-CSD-4.0C
rule=protecting Resources-OSRs/SUDO Includedir Perms
description=For each directory named all existing directories in its path must have
settings for "other" of r-x or more stringent. For each file named all existing
directories in its path must have settings for "other" of r-x or more stringent.
priority=normal
expected=
Back to SUMMARY