Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
AIX must remove !authenticate option from sudo config files.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-91539 | AIX7-00-002062 | SV-101637r1_rule | Medium |
| Description |
|---|
| sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are not required to reauthenticate for privilege escalation. |
| STIG | Date |
|---|---|
| IBM AIX 7.x Security Technical Implementation Guide | 2019-04-29 |
Details
| Check Text ( C-90693r1_chk ) |
|---|
| If sudo is not used on AIX, this is Not Applicable. Run the following command to find "!authenticate" option in "/etc/sudoers" file: # grep "!authenticate" /etc/sudoers If there is a "!authenticate" option found in "/etc/sudoers" file, this is a finding. Run the following command to find "!authenticate" option in one of the sudo config files in "/etc/sudoers.d/" directory: # find /etc/sudoers.d -type f -exec grep -l "!authenticate" {} \; The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "!authenticate" option. If above command found a config file that is in "/etc/sudoers.d/" directory and that contains the "!authenticate" option, this is a finding. |
| Fix Text (F-97737r1_fix) |
|---|
| Edit "/etc/sudoers" using "visudo" command to remove all the "!authenticate" options: # visudo -f /etc/sudoers Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains "!authenticate" options, use the "visudo" command as follows: # visudo -f /etc/sudoers.d/ |