STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must remove !authenticate option from sudo config files.

DISA Rule

SV-215261r508663_rule

Vulnerability Number

V-215261

Group Title

SRG-OS-000373-GPOS-00156

Rule Version

AIX7-00-002062

Severity

CAT II

CCI(s)

CCI-002038 - The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.

Weight

Fix Recommendation

Edit "/etc/sudoers" using "visudo" command to remove all the "!authenticate" options:
# visudo -f /etc/sudoers

Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains "!authenticate" options, use the "visudo" command as follows:
# visudo -f /etc/sudoers.d/<config_file_name>

Check Contents

If sudo is not used on AIX, this is Not Applicable.

Run the following command to find "!authenticate" option in "/etc/sudoers" file:
# grep "!authenticate" /etc/sudoers

If there is a "!authenticate" option found in "/etc/sudoers" file, this is a finding.

Run the following command to find "!authenticate" option in one of the sudo config files in "/etc/sudoers.d/" directory:
# find /etc/sudoers.d -type f -exec grep -l "!authenticate" {} \;

The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "!authenticate" option.

If above command found a config file that is in "/etc/sudoers.d/" directory and that contains the "!authenticate" option, this is a finding.

Vulnerability Number

V-215261

Documentable

False

Rule Version

AIX7-00-002062

Severity Override Guidance

Check Content Reference

Target Key

4012

AIX must remove !authenticate option from sudo config files.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments