STIGQter STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The sudo command must require authentication.

DISA Rule

SV-209072r603263_rule

Vulnerability Number

V-209072

Group Title

SRG-OS-000373

Rule Version

OL6-00-000529

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Update the "/etc/sudoers" or other sudo configuration files to remove or comment out lines utilizing the "NOPASSWD" and "!authenticate" options.

# visudo
# visudo -f [other sudo configuration file]

Check Contents

Verify neither the "NOPASSWD" option nor the "!authenticate" option is configured for use in "/etc/sudoers" and associated files. Note that the "#include" and "#includedir" directives may be used to include configuration data from locations other than the defaults enumerated here.

# egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*
# egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*

If any occurrences of "NOPASSWD" or “!authenticate” are returned from these commands and have not been documented with the ISSO as an organizationally defined administrative group utilizing MFA, this is a finding.

Vulnerability Number

V-209072

Documentable

False

Rule Version

OL6-00-000529

Severity Override Guidance

Verify neither the "NOPASSWD" option nor the "!authenticate" option is configured for use in "/etc/sudoers" and associated files. Note that the "#include" and "#includedir" directives may be used to include configuration data from locations other than the defaults enumerated here.

# egrep '^[^#]*NOPASSWD' /etc/sudoers /etc/sudoers.d/*
# egrep '^[^#]*!authenticate' /etc/sudoers /etc/sudoers.d/*

If any occurrences of "NOPASSWD" or “!authenticate” are returned from these commands and have not been documented with the ISSO as an organizationally defined administrative group utilizing MFA, this is a finding.

Check Content Reference

M

Target Key

2928

Comments