1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
documentation_complete: true
title: 'Ensure Users Re-Authenticate for Privilege Escalation - sudo'
description: |-
The sudo <tt>NOPASSWD</tt> and <tt>!authenticate</tt> option, when
specified, allows a user to execute commands using sudo without having to
authenticate. This should be disabled by making sure that
<tt>NOPASSWD</tt> and/or <tt>!authenticate</tt> do not exist in
<tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets
in <tt>/etc/sudoers.d/</tt>."
rationale: |-
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
<br /><br />
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.
severity: medium
identifiers:
cce@rhel8: CCE-82279-1
cce@rhel9: CCE-83543-9
cce@rhel10: CCE-87457-8
cce@sle15: CCE-85673-2
cce@slmicro5: CCE-93713-6
references:
cis-csc: 1,12,15,16,5
cis@ubuntu2204: 5.3.4
cobit5: DSS05.04,DSS05.10,DSS06.03,DSS06.10
disa: CCI-002038,CCI-004895
isa-62443-2009: 4.3.3.5.1,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
nist: IA-11,CM-6(a)
nist-csf: PR.AC-1,PR.AC-7
srg: SRG-OS-000373-GPOS-00156
stigid@sle15: SLES-15-010450
stigid@ubuntu2004: UBTU-20-010014
stigid@ubuntu2204: UBTU-22-432010
ocil_clause: 'nopasswd and/or !authenticate is enabled in sudo'
ocil: |-
To determine if <tt>NOPASSWD</tt> or <tt>!authenticate</tt> have been configured for
sudo, run the following command:
<pre>$ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/</pre>
The command should return no output.
|
