STIG-required sudoers configs

Good morning,
We’re running OOD on an up-to-date RHEL 8 system, and my site is required to operate in compliance with the DoD STIG security standards. There are two specific sudoers configurations in OOD’s /etc/sudoers.d/ood which the rules restrict, the use of NOPASSWD and !authenticate:

Defaults:apache !requiretty, !authenticate
apache ALL=(ALL) NOPASSWD: /opt/ood/nginx_stage/sbin/nginx_stage

I could probably justify the exception request I’d need to file, but in an effort to minimize recurring admin exercises, how feasible is it to reconfigure things to adhere to those limitations? From my read of the documentation on nginx_stage, operating under sudo seems pretty central to the intended design.

How about removing just !authenticate, are there expected adverse effects? I’m curious why that extra config would be needed given that there is a specific NOPASSWD entry for the apache user to call nginx_stage.

Thanks for any thoughts or assistance, we’re just getting started with OOD and it’s fantastic.

Hi Daniel.

Welcome to the OnDemand Discourse. To be honest, other than an additional layer of security, I’m not sure why !authenticate is placed in there.

On my personal instance of OnDemand, I removed the !authenticate and didn’t appear to have any problems. However, I am not proposing that you do that. I’m sure the security folks have it in there for a good reason. But, if you choose to test that, then that would be completely your choice.

I am not advising that you change any security related configurations.

Thanks,
-gerald

Hi Daniel.

I’m not sure if this information will help you. Please see the following ticket. You will need to look at the discussions in the ticket to determine if this will help you or not.

Thanks,
-gerald

Thanks so much Gerald.
Unfortunately that GitHub issue doesn’t really apply. That’s more concerned with assessing OOD against a STIG standard for generic applications, whereas I’m dealing with keeping the underlying OS STIG-compliant while installing/running OOD.

I’ve removed the !authenticate parameter, while leaving in the NOSPASSWD tag for apache to run nginx_stage, and so far things seem to be working. The fewer cybersecurity exceptions I have to file, the more likely we’ll be able to keep OOD running here.

Thanks again!

Thanks Daniel.

One thing you will need to remember is that anytime you do an upgrade of OnDemand, you may need to re-apply your change.

Thanks,
-gerald