Disallow Configuration to Bypass Password Requirements for Privilege Escalation

An XCCDF Rule

Description

Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:

$ sudo grep pam_succeed_if /etc/pam.d/sudo

If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.

Rationale

Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.

ID: xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo
Severity: Medium
References: CCI-002038

IA-11

SRG-OS-000373-GPOS-00156 SRG-OS-000373-GPOS-00157 SRG-OS-000373-GPOS-00158

RHEL-08-010385

SV-251712r854083_rule

CCE-86319-1
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-86319-1
  - DISA-STIG-RHEL-08-010385  - NIST-800-53-IA-11
  - disallow_bypass_password_sudo
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check for pam_succeed_if entry
  ansible.builtin.lineinfile:
    path: /etc/pam.d/sudo
    create: false
    regexp: pam_succeed_if
    state: absent
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-86319-1
  - DISA-STIG-RHEL-08-010385
  - NIST-800-53-IA-11
  - disallow_bypass_password_sudo
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then

sed -i '/pam_succeed_if/d' /etc/pam.d/sudo

else    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disallow Configuration to Bypass Password Requirements for Privilege Escalation

Description

Rationale

Remediation - Ansible

Remediation - Shell Script