Ensure Users Re-Authenticate for Privilege Escalation - sudo
An XCCDF Rule
Description
The sudo NOPASSWD
and !authenticate
option, when
specified, allows a user to execute commands using sudo without having to
authenticate. This should be disabled by making sure that
NOPASSWD
and/or !authenticate
do not exist in
/etc/sudoers
configuration file or any sudo configuration snippets
in /etc/sudoers.d/
."
Rationale
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.
- ID
- xccdf_org.ssgproject.content_rule_sudo_require_authentication
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Find /etc/sudoers.d/ files
ansible.builtin.find:
paths:
- /etc/sudoers.d/
register: sudoers
tags:
Remediation - Shell Script
for f in /etc/sudoers /etc/sudoers.d/* ; do
if [ ! -e "$f" ] ; then
continue
fi
matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )