Skip to content

AIX must remove !authenticate option from sudo config files.

An XCCDF Rule

Description

<VulnDiscussion>sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are not required to reauthenticate for privilege escalation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-215261r1009546_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Edit "/etc/sudoers" using "visudo" command to remove all the "!authenticate" options:
# visudo -f /etc/sudoers

Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains "!authenticate" options, use the "visudo" command as follows:
# visudo -f /etc/sudoers.d/<config_file_name>