AIX must remove !authenticate option from sudo config files.
An XCCDF Rule
Description
<VulnDiscussion>sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are not required to reauthenticate for privilege escalation.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-215261r853469_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Edit "/etc/sudoers" using "visudo" command to remove all the "!authenticate" options:
# visudo -f /etc/sudoers
Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains "!authenticate" options, use the "visudo" command as follows:
# visudo -f /etc/sudoers.d/<config_file_name>