Check: AIX7-00-002062
IBM AIX 7.x STIG:
AIX7-00-002062
(in versions v3 r1 through v1 r1)
Title
AIX must remove !authenticate option from sudo config files. (Cat II impact)
Discussion
sudo command does not require reauthentication if !authenticate option is specified in /etc/sudoers config file, or config files in /etc/sudoers.d/ directory. With this tag in sudoers, users are not required to reauthenticate for privilege escalation.
Check Content
If sudo is not used on AIX, this is Not Applicable. Run the following command to find "!authenticate" option in "/etc/sudoers" file: # grep "!authenticate" /etc/sudoers If there is a "!authenticate" option found in "/etc/sudoers" file, this is a finding. Run the following command to find "!authenticate" option in one of the sudo config files in "/etc/sudoers.d/" directory: # find /etc/sudoers.d -type f -exec grep -l "!authenticate" {} \; The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "!authenticate" option. If above command found a config file that is in "/etc/sudoers.d/" directory and that contains the "!authenticate" option, this is a finding.
Fix Text
Edit "/etc/sudoers" using "visudo" command to remove all the "!authenticate" options: # visudo -f /etc/sudoers Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains "!authenticate" options, use the "visudo" command as follows: # visudo -f /etc/sudoers.d/<config_file_name>
Additional Identifiers
Rule ID: SV-215261r1009546_rule
Vulnerability ID: V-215261
Group Title: SRG-OS-000373-GPOS-00156
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002038 |
The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication. |
CCI-004895 |
Permit users to invoke the trusted communications path for communications between the user and the organization-defined security functions, including at a minimum, authentication and re-authentication. |
Controls
Number | Title |
---|---|
IA-11 |
Re-authentication |