TOSS 5 must use the invoking user's password for privilege escalation when using sudo.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
mediumV-282590SRG-OS-000373-GPOS-00156TOSS-05-000326SV-282590r1200750_rule2026-04-011

Description

If the "rootpw", "targetpw", or "runaspw" flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

ℹ️ Check

Verify the sudoers security policy is configured to use the invoking user's password for privilege escalation using the following command: $ sudo egrep -ir '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw If no results are returned, this is a finding. If results are returned from more than one file location, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. If "Defaults !runaspw" is not defined, this is a finding.

✔️ Fix

Define the following in the Defaults section of the "/etc/sudoers" file or a single configuration file in the "/etc/sudoers.d/" directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw