STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must remove NOPASSWD tag from sudo config files.

DISA Rule

SV-215260r508663_rule

Vulnerability Number

V-215260

Group Title

SRG-OS-000373-GPOS-00156

Rule Version

AIX7-00-002061

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Edit "/etc/sudoers" using "visudo" command to remove all the "NOPASSWD" tags:
# visudo -f

Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tags, use "visudo" the command as follows:
# visudo -f /etc/sudoers.d/<config_file_name>

Check Contents

If sudo is not used on AIX, this is Not Applicable.

Run the following command to find the "NOPASSWD" tag in "/etc/sudoers" file:
# grep NOPASSWD /etc/sudoers

If there is a "NOPASSWD" tag found in "/etc/sudoers" file, this is a finding.

Run the following command to find the "NOPASSWD" tag in one of the sudo config files in "/etc/sudoers.d/" directory:
# find /etc/sudoers.d -type f -exec grep -l NOPASSWD {} \;

The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "NOPASSWD" tag.

If above command found a config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tag, this is a finding.

Vulnerability Number

V-215260

Documentable

False

Rule Version

AIX7-00-002061

Severity Override Guidance

If sudo is not used on AIX, this is Not Applicable.

Run the following command to find the "NOPASSWD" tag in "/etc/sudoers" file:
# grep NOPASSWD /etc/sudoers

If there is a "NOPASSWD" tag found in "/etc/sudoers" file, this is a finding.

Run the following command to find the "NOPASSWD" tag in one of the sudo config files in "/etc/sudoers.d/" directory:
# find /etc/sudoers.d -type f -exec grep -l NOPASSWD {} \;

The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "NOPASSWD" tag.

If above command found a config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tag, this is a finding.

Check Content Reference

M

Target Key

4012

Comments