AIX must remove NOPASSWD tag from sudo config files.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-215260 | AIX7-00-002061 | SV-215260r1009545_rule | CCI-004895 | high |
| Description | ||||
| sudo command does not require reauthentication if NOPASSWD tag is specified in /etc/sudoers config file, or sudoers files in /etc/sudoers.d/ directory. With this tag in sudoers file, users are not required to reauthenticate for privilege escalation. | ||||
| STIG | Date | |||
| IBM AIX 7.x Security Technical Implementation Guide | 2024-08-16 | |||
Details
Check Text (C-215260r1009545_chk)
If sudo is not used on AIX, this is Not Applicable.
Run the following command to find the "NOPASSWD" tag in "/etc/sudoers" file:
# grep NOPASSWD /etc/sudoers
If there is a "NOPASSWD" tag found in "/etc/sudoers" file, this is a finding.
Run the following command to find the "NOPASSWD" tag in one of the sudo config files in "/etc/sudoers.d/" directory:
# find /etc/sudoers.d -type f -exec grep -l NOPASSWD {} \;
The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "NOPASSWD" tag.
If above command found a config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tag, this is a finding.
Fix Text (F-16456r294232_fix)
Edit "/etc/sudoers" using "visudo" command to remove all the "NOPASSWD" tags:
# visudo -f
Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tags, use "visudo" the command as follows:
# visudo -f /etc/sudoers.d/<config_file_name>