Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The sudo command must require authentication.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-209072 | OL6-00-000529 | SV-209072r793793_rule | Medium |
| Description |
|---|
| The "sudo" command allows authorized users to run programs (including shells) as other users, system users, and root. The "/etc/sudoers" file is used to configure authorized "sudo" users as well as the programs they are allowed to run. Some configuration options in the "/etc/sudoers" file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts. |
| STIG | Date |
|---|---|
| Oracle Linux 6 Security Technical Implementation Guide | 2021-12-03 |
Details
| Check Text ( C-36261r602377_chk ) |
|---|
| Verify neither the "NOPASSWD" option nor the "!authenticate" option is configured for use in "/etc/sudoers" and associated files. Note that the "#include" and "#includedir" directives may be used to include configuration data from locations other than the defaults enumerated here. # egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/* # egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/* If any occurrences of "NOPASSWD" or “!authenticate” are returned from these commands and have not been documented with the ISSO as an organizationally defined administrative group utilizing MFA, this is a finding. |
| Fix Text (F-36225r602378_fix) |
|---|
| Update the "/etc/sudoers" or other sudo configuration files to remove or comment out lines utilizing the "NOPASSWD" and "!authenticate" options. # visudo # visudo -f [other sudo configuration file] |