Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of OpenEmbedded
System Settings
Installing and Maintaining Software
Sudo
Don't define allowed commands in sudoers by means of exclusion
Don't define allowed commands in sudoers by means of exclusion
An XCCDF Rule
Details
Profiles
Prose
Don't define allowed commands in sudoers by means of exclusion
Medium Severity
Policies applied by sudo through the sudoers file should not involve negation. Each user specification in the
sudoers
file contains a comma-delimited list of command specifications. The definition can make use glob patterns, as well as of negations. Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.