UCF STIG Viewer Logo

AIX must remove !authenticate option from sudo config files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-215261 AIX7-00-002062 SV-215261r508663_rule Medium
Description
sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are not required to reauthenticate for privilege escalation.
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2022-06-06

Details

Check Text ( C-16459r294234_chk )
If sudo is not used on AIX, this is Not Applicable.

Run the following command to find "!authenticate" option in "/etc/sudoers" file:
# grep "!authenticate" /etc/sudoers

If there is a "!authenticate" option found in "/etc/sudoers" file, this is a finding.

Run the following command to find "!authenticate" option in one of the sudo config files in "/etc/sudoers.d/" directory:
# find /etc/sudoers.d -type f -exec grep -l "!authenticate" {} \;

The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "!authenticate" option.

If above command found a config file that is in "/etc/sudoers.d/" directory and that contains the "!authenticate" option, this is a finding.
Fix Text (F-16457r294235_fix)
Edit "/etc/sudoers" using "visudo" command to remove all the "!authenticate" options:
# visudo -f /etc/sudoers

Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains "!authenticate" options, use the "visudo" command as follows:
# visudo -f /etc/sudoers.d/