Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD

An XCCDF Rule

Description

The sudo NOPASSWD tag, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

ID: xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd
Severity: Medium
References: BP28(R5) BP28(R59)

1 12 15 16 5

DSS05.04 DSS05.10 DSS06.03 DSS06.10

CCI-002038

4.3.3.5.1 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9

SR 1.1 SR 1.10 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.7 SR 1.8 SR 1.9

A.18.1.4 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.2 A.9.4.3

CM-6(a) IA-11

PR.AC-1 PR.AC-7

SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158
Updated: about 1 year ago