False Positive in ssg-object_no_runas_spec Regex – Matches Defaults Lines in /etc/sudoers

[LH-Lawliet]

Hello,

It appears that the regex used in ssg-object_no_runas_spec may incorrectly trigger a failure for the 'sudoers_no_root_target' rule by matching Defaults lines in the /etc/sudoers file, which are not user specifications.

Relevant code: https://github.com/ComplianceAsCode/content/blob/301bb9d57eb0f1fccbe21659a9266dd7afd6c4ef/linux_os/guide/system/software/sudo/sudoers_no_root_target/oval/shared.xml#L44

Tested on AlmaLinux 10 with the following command:

grep -P '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s]' /etc/sudoers /etc/sudoers.d/* 2>/dev/null
/etc/sudoers:Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
/etc/sudoers:Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

These are clearly Defaults configuration lines and not user specifications lacking a runas spec. However, the regex matches them, causing a false failure of the sudoers_no_root_target rule.