Don't target root user in the sudoers file

An XCCDF Rule

Details
Profiles
Prose

Description

The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root). User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and ALL or root should not be used.

warning alert: Warning

This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.

Rationale

It is common that the command to be executed does not require superuser rights (editing a file whose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit any attempt of privilege escalation through a command, it is better to apply normal user rights.

ID: xccdf_org.ssgproject.content_rule_sudoers_no_root_target
Severity: Medium
References: CCE-91503-3
Updated: about 1 year ago