UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

AIX must remove NOPASSWD tag from sudo config files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-91537 AIX7-00-002061 SV-101635r1_rule High
Description
sudo command does not require reauthentication if NOPASSWD tag is specified in /etc/sudoers config file, or sudoers files in /etc/sudoers.d/ directory. With this tag in sudoers file, users are not required to reauthenticate for privilege escalation.
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2020-02-24

Details

Check Text ( C-90691r1_chk )
If sudo is not used on AIX, this is Not Applicable.

Run the following command to find the "NOPASSWD" tag in "/etc/sudoers" file:
# grep NOPASSWD /etc/sudoers

If there is a "NOPASSWD" tag found in "/etc/sudoers" file, this is a finding.

Run the following command to find the "NOPASSWD" tag in one of the sudo config files in "/etc/sudoers.d/" directory:
# find /etc/sudoers.d -type f -exec grep -l NOPASSWD {} \;

The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "NOPASSWD" tag.

If above command found a config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tag, this is a finding.
Fix Text (F-97735r1_fix)
Edit "/etc/sudoers" using "visudo" command to remove all the "NOPASSWD" tags:
# visudo -f

Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tags, use "visudo" the command as follows:
# visudo -f /etc/sudoers.d/