Ensure only owner and members of group owner of /usr/bin/sudo can execute it
An XCCDF Rule
Description
Remove the execute permission bit of /etc/bin/sudo
for the other users.
To properly set the permissions of /usr/bin/sudo
, run the command:
$ sudo chmod 4110 /usr/bin/sudo
Rationale
Restricting the set of users able to execute commands as privileged user reduces the attack surface.
- ID
- xccdf_org.ssgproject.content_rule_sudo_restrict_others_executable_permission
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Test for existence /usr/bin/sudo
stat:
path: /usr/bin/sudo
register: file_exists
tags:
- configure_strategy
Remediation - Shell Script
chmod u-wr,g-wrs,o-xwrt /usr/bin/sudo