AIX must remove !authenticate option from sudo config files.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-215261 | SRG-OS-000373-GPOS-00156 | AIX7-00-002062 | SV-215261r1009546_rule | 2024-08-16 | 3 |
| Description |
|---|
| sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are not required to reauthenticate for privilege escalation. |
| ℹ️ Check |
|---|
| If sudo is not used on AIX, this is Not Applicable. Run the following command to find "!authenticate" option in "/etc/sudoers" file: # grep "!authenticate" /etc/sudoers If there is a "!authenticate" option found in "/etc/sudoers" file, this is a finding. Run the following command to find "!authenticate" option in one of the sudo config files in "/etc/sudoers.d/" directory: # find /etc/sudoers.d -type f -exec grep -l "!authenticate" {} \; The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "!authenticate" option. If above command found a config file that is in "/etc/sudoers.d/" directory and that contains the "!authenticate" option, this is a finding. |
| ✔️ Fix |
|---|
| Edit "/etc/sudoers" using "visudo" command to remove all the "!authenticate" options: # visudo -f /etc/sudoers Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains "!authenticate" options, use the "visudo" command as follows: # visudo -f /etc/sudoers.d/<config_file_name> |