TOSS 5 must use the invoking user's password for privilege escalation when using sudo.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282590TOSS-05-000326SV-282590r1200750_ruleCCI-002038medium
Description
If the "rootpw", "targetpw", or "runaspw" flags are defined and not disabled, by default the operating system will prompt the invoking user for the "root" user password. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282590r1200750_chk)

Verify the sudoers security policy is configured to use the invoking user's password for privilege escalation using the following command: $ sudo egrep -ir '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' /etc/sudoers:Defaults !targetpw /etc/sudoers:Defaults !rootpw /etc/sudoers:Defaults !runaspw If no results are returned, this is a finding. If results are returned from more than one file location, this is a finding. If "Defaults !targetpw" is not defined, this is a finding. If "Defaults !rootpw" is not defined, this is a finding. If "Defaults !runaspw" is not defined, this is a finding.

Fix Text (F-87056r1200749_fix)

Define the following in the Defaults section of the "/etc/sudoers" file or a single configuration file in the "/etc/sudoers.d/" directory: Defaults !targetpw Defaults !rootpw Defaults !runaspw