{"description": "Verify the operating system is not configured to bypass password requirements for privilege\nescalation. Check the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n<pre>$ sudo grep pam_succeed_if /etc/pam.d/sudo</pre>\nIf any occurrences of \"pam_succeed_if\" is returned from the command, this is a finding.", "rationale": "Without re-authentication, users may access resources or perform tasks for which they do not\nhave authorization. When operating systems provide the capability to escalate a functional\ncapability, it is critical the user re-authenticate.", "severity": "medium", "references": {"nist": ["IA-11"], "srg": ["SRG-OS-000373-GPOS-00156", "SRG-OS-000373-GPOS-00157", "SRG-OS-000373-GPOS-00158"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "system is configured to bypass password requirements for privilege escalation", "ocil": "Verify the operating system is not configured to bypass password requirements for privilege\nescalation. Check the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n<pre>$ sudo grep pam_succeed_if /etc/pam.d/sudo</pre>", "oval_external_content": null, "fixtext": "Configure the operating system to require users to supply a password for privilege escalation.\n\nCheck the configuration of the \"/etc/pam.d/sudo\" file with the following command:\n$ sudo vi /etc/pam.d/sudo\n\nRemove any occurrences of \" pam_succeed_if \" in the file.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must not be configured to bypass password requirements for privilege escalation.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must not be configured to bypass password requirements for privilege escalation.", "vuldiscussion": "Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.", "checktext": "Verify the operating system is not configured to bypass password requirements for privilege escalation with the following command:\n\n$ sudo grep pam_succeed_if /etc/pam.d/sudo\n\nIf any occurrences of \"pam_succeed_if\" are returned, this is a finding.", "fixtext": "Configure the operating system to require users to supply a password for privilege escalation.\n\nRemove any occurrences of \" pam_succeed_if \" in the  \"/etc/pam.d/sudo\" file."}}, "platform": "package[pam] and system_with_kernel", "platforms": ["package[pam] and system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disallow Configuration to Bypass Password Requirements for Privilege Escalation", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/disallow_bypass_password_sudo/rule.yml", "template": null}