AIX must remove !authenticate option from sudo config files.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-215261 | AIX7-00-002062 | SV-215261r1009546_rule | CCI-004895 | medium |
| Description | ||||
| sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are not required to reauthenticate for privilege escalation. | ||||
| STIG | Date | |||
| IBM AIX 7.x Security Technical Implementation Guide | 2024-08-16 | |||
Details
Check Text (C-215261r1009546_chk)
If sudo is not used on AIX, this is Not Applicable.
Run the following command to find "!authenticate" option in "/etc/sudoers" file:
# grep "!authenticate" /etc/sudoers
If there is a "!authenticate" option found in "/etc/sudoers" file, this is a finding.
Run the following command to find "!authenticate" option in one of the sudo config files in "/etc/sudoers.d/" directory:
# find /etc/sudoers.d -type f -exec grep -l "!authenticate" {} \;
The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "!authenticate" option.
If above command found a config file that is in "/etc/sudoers.d/" directory and that contains the "!authenticate" option, this is a finding.
Fix Text (F-16457r294235_fix)
Edit "/etc/sudoers" using "visudo" command to remove all the "!authenticate" options:
# visudo -f /etc/sudoers
Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains "!authenticate" options, use the "visudo" command as follows:
# visudo -f /etc/sudoers.d/<config_file_name>