Title

The operating system must require users to re-authenticate for privilege escalation. (Cat II impact)

Discussion

Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate. Satisfies: SRG-OS-000373-GPOS-00156

Check Content

Verify the operating system requires users to re-authenticate for privilege escalation. If it does not, this is a finding. First, ensure root has a password: $ grep root /etc/master.passwd If the second column is blank (ie, the line is "root::"), this is a finding. No password is set for root and users may use "su" freely. Second, if sudo is install ensure it isn't configured for NOPASSWD auth. $ grep NOPASSWD /usr/local/etc/sudoers If any NOPASSWD issues exist this is finding. If the file does not exist, sudo is likely not in use and this is NOT a finding.

Fix Text

Configure the operating system to require users to re-authenticate for privilege escalation.

Additional Identifiers

Rule ID:

Vulnerability ID: V-1560

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.