Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-91537 | AIX7-00-002061 | SV-101635r1_rule | High |
Description |
---|
sudo command does not require reauthentication if NOPASSWD tag is specified in /etc/sudoers config file, or sudoers files in /etc/sudoers.d/ directory. With this tag in sudoers file, users are not required to reauthenticate for privilege escalation. |
STIG | Date |
---|---|
IBM AIX 7.x Security Technical Implementation Guide | 2020-02-24 |
Check Text ( C-90691r1_chk ) |
---|
If sudo is not used on AIX, this is Not Applicable. Run the following command to find the "NOPASSWD" tag in "/etc/sudoers" file: # grep NOPASSWD /etc/sudoers If there is a "NOPASSWD" tag found in "/etc/sudoers" file, this is a finding. Run the following command to find the "NOPASSWD" tag in one of the sudo config files in "/etc/sudoers.d/" directory: # find /etc/sudoers.d -type f -exec grep -l NOPASSWD {} \; The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "NOPASSWD" tag. If above command found a config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tag, this is a finding. |
Fix Text (F-97735r1_fix) |
---|
Edit "/etc/sudoers" using "visudo" command to remove all the "NOPASSWD" tags: # visudo -f Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tags, use "visudo" the command as follows: # visudo -f /etc/sudoers.d/ |