Title

RHEL 9 must not be configured to bypass password requirements for privilege escalation. (Cat II impact)

Discussion

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

Check Content

Verify the operating system is not configured to bypass password requirements for privilege escalation with the following command: $ sudo grep pam_succeed_if /etc/pam.d/sudo If any occurrences of "pam_succeed_if" are returned, this is a finding.

Fix Text

Configure the operating system to require users to supply a password for privilege escalation. Remove any occurrences of " pam_succeed_if " in the "/etc/pam.d/sudo" file.

Additional Identifiers

Rule ID: SV-258118r926341_rule

Vulnerability ID: V-258118

Group Title: SRG-OS-000373-GPOS-00156

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.