Nutanix OS must require users to reauthenticate for privilege escalation.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279599 | NXAC-OS-000153 | SV-279599r1192563_rule | CCI-002038 | medium |
| Description | ||||
| Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to change security roles, it is critical that the user reauthenticate. | ||||
| STIG | Date | |||
| Nutanix Acropolis GPOS Security Technical Implementation Guide | 2026-02-24 | |||
Details
Check Text (C-279599r1192563_chk)
For AHV, this requirement is Not Applicable.
Confirm Nutanix OS is configured as shown for reauthentication in the sudoers file:
$ grep -i nopasswd /etc/sudoers /etc/sudoers.d/*
If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the information system security officer (ISSO) as an organizationally defined administrative group using multifactor authentication (MFA), this is a finding.
Fix Text (F-84057r1192562_fix)
Remove occurrences of "NOPASSWD" found.
1. For AOS, use the following command.
salt-call state.sls security/CVM/manualCVM
2. For Prism Central, use the following command.
salt-call state.sls security/PCVM/manualPCVM
3. For Files, use the following command.
salt-call state.sls security/AFS/manualAFS
4. The AHV hypervisor does not support local interactive user accounts. AHV has been designed and configured to run essentially headless. The only accounts allowed on AHV are the pre-configured system accounts.