Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
AIX must remove NOPASSWD tag from sudo config files.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-91537 | AIX7-00-002061 | SV-101635r1_rule | High |
| Description |
|---|
| sudo command does not require reauthentication if NOPASSWD tag is specified in /etc/sudoers config file, or sudoers files in /etc/sudoers.d/ directory. With this tag in sudoers file, users are not required to reauthenticate for privilege escalation. |
| STIG | Date |
|---|---|
| IBM AIX 7.x Security Technical Implementation Guide | 2020-02-24 |
Details
| Check Text ( C-90691r1_chk ) |
|---|
| If sudo is not used on AIX, this is Not Applicable. Run the following command to find the "NOPASSWD" tag in "/etc/sudoers" file: # grep NOPASSWD /etc/sudoers If there is a "NOPASSWD" tag found in "/etc/sudoers" file, this is a finding. Run the following command to find the "NOPASSWD" tag in one of the sudo config files in "/etc/sudoers.d/" directory: # find /etc/sudoers.d -type f -exec grep -l NOPASSWD {} \; The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "NOPASSWD" tag. If above command found a config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tag, this is a finding. |
| Fix Text (F-97735r1_fix) |
|---|
| Edit "/etc/sudoers" using "visudo" command to remove all the "NOPASSWD" tags: # visudo -f Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tags, use "visudo" the command as follows: # visudo -f /etc/sudoers.d/ |