This is a clone of issue RHEL-106261 to use for version rhel-9.7
–
Original description:

What were you trying to do that didn't work?

Using the redhat.rhel_system_roles.sudo role for managing /etc/sudoers. 

The role still scans all sudo configuration on the system. The regexes in the scan_sudoers.py script that is used in the role are having trouble with recognizing certain types of configuration.

• The drop-in file below takes approximately 6-7 hours to parse:

How reproducible:

always

Steps to reproduce

• install redhat.rhel_system.roles collection
• Create any script. 

Cmnd_Alias MGT_FB_SCRIPT=/usr/local/bin/manage_fb_inputs.sh

1. filebeat_inputs mag zonder wachtwoord het script runnen

filebeat_inputs ALL=(root)NOPASSWD: MGT_FB_SCRIPT

1. Verder mag iedereen alles doen als filebeat_inputs, maar dan wel met wachtwoord.

ALL,!filebeat_inputs ALL=(filebeat_inputs) ALL

1. # En mag het script ook rechtstreeks gebruiken, maar uiteraard met wachtwoord.

ALL,!filebeat_inputs ALL=(root) MGT_FB_SCRIPT

======================================================

• If I remove the Cmnd_Alias line and place the script name directly in the lines that start with ALL, the whole role takes only 17 seconds:

1. Cmnd_Alias MGT_FB_SCRIPT=/usr/local/bin/manage_fb_inputs.sh

filebeat_inputs ALL=(root)NOPASSWD: /usr/local/bin/manage_fb_inputs.sh

!filebeat_inputs ALL=(filebeat_inputs) ALL

1. # En mag het script ook rechtstreeks gebruiken, maar uiteraard met wachtwoord.

!filebeat_inputs ALL=(root) /usr/local/bin/manage_fb_inputs.sh

Additional information:-

For now I've just solved the performance issues seen before by adding the adding spaces where needed (so 'Cmnd_Alias MGT_FB_SCRIPT=/usr/local/bin/manage_fb_inputs.sh' becomes 'Cmnd_Alias MGT_FB_SCRIPT = /usr/local/bin/manage_fb_inputs.sh'), so we have a workaround.

I think this is a bug in the current parsing of the sudoers configuration by the 'Scan sudoers' task (caused by inefficient behavior of the regexes in the module that is used).