SLES-12-010109 - The SUSE operating system must specify the default 'include' directory for the /etc/sudoers file - /etc/sudoers.d/*

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The 'sudo' command allows authorized users to run programs (including shells) as other users, system users, and root. The '/etc/sudoers' file is used to configure authorized 'sudo' users as well as the programs they are allowed to run. Some configuration options in the '/etc/sudoers' file allow configured users to run programs without re-authenticating. Use of these configuration options makes it easier for one compromised account to be used to compromise other accounts.

It is possible to include other sudoers files from within the sudoers file currently being parsed using the #include and #includedir directives. When sudo reaches this line it will suspend processing of the current file (/etc/sudoers) and switch to the specified file/directory. Once the end of the included file(s) are reached, the rest of /etc/sudoers will be processed. Files that are included may themselves include other files. A hard limit of 128 nested include files is enforced to prevent include file loops.

Solution

Configure the /etc/sudoers file to only include the /etc/sudoers.d directory.

Edit the /etc/sudoers file with the following command:

> sudo visudo

Add or modify the following line:
#includedir /etc/sudoers.d

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SLES_12_V2R9_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000366, Rule-ID|SV-251719r832989_rule, STIG-ID|SLES-12-010109, Vuln-ID|V-251719

Plugin: Unix

Control ID: a4ac3e57532d4c0fac2a3cef1e101765011582c0a324e44218a1f6610e032ae5