From 175be75cf6c886cb0c79f76a38165889252ea30d Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 13 Oct 2015 09:19:45 -0500
Subject: [PATCH] V-58901: sudo requires auth

Implements: blueprint security-hardening

Change-Id: I3ca1a2cbd4af2b77b65fe7a69eb0a757482180bc
---
 doc/source/developer-notes/V-58901.rst |  3 +++
 tasks/auth.yml                         | 29 ++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 doc/source/developer-notes/V-58901.rst

diff --git a/doc/source/developer-notes/V-58901.rst b/doc/source/developer-notes/V-58901.rst
new file mode 100644
index 00000000..779c172d
--- /dev/null
+++ b/doc/source/developer-notes/V-58901.rst
@@ -0,0 +1,3 @@
+The Ansible tasks will search for ``NOPASSWD`` and ``!authenticate`` in the
+sudo configuration. If either is found, the playbook will fail and an error
+message will be printed.
diff --git a/tasks/auth.yml b/tasks/auth.yml
index e5a44585..65d75ea0 100644
--- a/tasks/auth.yml
+++ b/tasks/auth.yml
@@ -329,3 +329,32 @@
     - auth
     - cat3
     - V-38683
+
+- name: Checking for NOPASSWD in sudoers (for V-58901)
+  shell: "egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*"
+  register: v58901_nopasswd_result
+  changed_when: False
+  failed_when: v58901_nopasswd_result.rc > 1
+  tags:
+    - auth
+    - cat2
+    - V-58901
+
+- name: Checking for !authenticate in sudoers (for V-58901)
+  shell: "egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*"
+  register: v58901_authenticate_result
+  changed_when: False
+  failed_when: v58901_authenticate_result.rc > 1
+  tags:
+    - auth
+    - cat2
+    - V-58901
+
+- name: V-58901 - The sudo command must require authentication
+  fail:
+    msg: "FAILED: NOPASSWD or !authenticate found in sudo configuration"
+  when: v58901_nopasswd_result.rc == 0 or v58901_authenticate_result.rc == 0
+  tags:
+    - auth
+    - cat2
+    - V-58901