Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
An XCCDF Rule
Description
The sudo !authenticate
option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate
option does not exist in /etc/sudoers
configuration file or
any sudo configuration snippets in /etc/sudoers.d/
.
Rationale
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.
- ID
- xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Find /etc/sudoers.d/ files
ansible.builtin.find:
paths:
- /etc/sudoers.d/
register: sudoers
tags:
Remediation - Shell Script
for f in /etc/sudoers /etc/sudoers.d/* ; do
if [ ! -e "$f" ] ; then
continue
fi
matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )