5.2.11 Ensure pam_succeed_if does not exist in /etc/pam.d/sudo

Information

The operating system (OS) must not be configured to bypass password requirements for privilege escalation.

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.

Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

Solution

Configure the operating system to require users to supply a password for privilege escalation.

Check the configuration of the "/etc/ pam.d/sudo" file with the following command:

# vi /etc/pam.d/sudo

Remove any occurrences of "pam_succeed_if" in the file.

Item Details

Audit Name: CIS Red Hat Enterprise Linux 8 STIG v2.0.0 STIG

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-11, CSCv7|4.3, Rule-ID|SV-251712r854083_rule, Vuln-ID|V-251712

Plugin: Unix

Control ID: a1535e281dd63d22def94e674fc7c0a862d66b0395fc1776f57334a98780b8d5

Detections

Analytics

5.2.11 Ensure pam_succeed_if does not exist in /etc/pam.d/sudo

Information

Solution

See Also

Item Details