Disallow Configuration to Bypass Password Requirements for Privilege Escalation
An XCCDF Rule
Description
Verify the operating system is not configured to bypass password requirements for privilege escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudoIf any occurrences of "pam_succeed_if" is returned from the command, this is a finding.
Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.
- ID
- xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-09-611145
- NIST-800-53-IA-11
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
sed -i '/pam_succeed_if/d' /etc/pam.d/sudo
else