Navigate

Check: AZLX-23-001005

Amazon Linux 2023 STIG: AZLX-23-001005 (in version v1 r1)

Title

Amazon Linux 2023 must not be configured to bypass password requirements for privilege escalation. (Cat II impact)

Discussion

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.

Check Content

Verify Amazon Linux 2023 is not configured to bypass password requirements for privilege escalation with the following command: $ sudo grep pam_succeed_if /etc/pam.d/sudo If any occurrences of "pam_succeed_if" are returned, this is a finding.

Fix Text

Configure Amazon Linux 2023 to require users to supply a password for privilege escalation. Remove any occurrences of "pam_succeed_if " in the "/etc/pam.d/sudo" file.

Additional Identifiers

Rule ID: SV-274013r1120027_rule

Vulnerability ID: V-274013

Group Title: SRG-OS-000312-GPOS-00123

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-002165	Enforce organization-defined discretionary access control policies over defined subjects and objects.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-3(4)	Discretionary Access Control