Title

SLEM 5 must reauthenticate users when changing authenticators, roles, or escalating privileges. (Cat II impact)

Discussion

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When SLEM 5 provides the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate.

Check Content

Verify that SLEM 5 requires reauthentication when changing authenticators, roles, or escalating privileges with the following command: > sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.

Fix Text

Configure SLEM 5 to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.

Additional Identifiers

Rule ID: SV-261373r996558_rule

Vulnerability ID: V-261373

Group Title: SRG-OS-000373-GPOS-00156

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.