UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The sudo command must require authentication.


Overview

Finding ID Version Rule ID IA Controls Severity
V-209072 OL6-00-000529 SV-209072r603263_rule Medium
Description
The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.
STIG Date
Oracle Linux 6 Security Technical Implementation Guide 2021-06-14

Details

Check Text ( C-36261r602377_chk )
Verify neither the "NOPASSWD" option nor the "!authenticate" option is configured for use in "/etc/sudoers" and associated files. Note that the "#include" and "#includedir" directives may be used to include configuration data from locations other than the defaults enumerated here.

# egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*
# egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*

If any occurrences of "NOPASSWD" or “!authenticate” are returned from these commands and have not been documented with the ISSO as an organizationally defined administrative group utilizing MFA, this is a finding.
Fix Text (F-36225r602378_fix)
Update the "/etc/sudoers" or other sudo configuration files to remove or comment out lines utilizing the "NOPASSWD" and "!authenticate" options.

# visudo
# visudo -f [other sudo configuration file]