{"description": "The sudo <tt>!authenticate</tt> option, when specified, allows a user to execute commands using\nsudo without having to authenticate. This should be disabled by making sure that the\n<tt>!authenticate</tt> option does not exist in <tt>/etc/sudoers</tt> configuration file or\nany sudo configuration snippets in <tt>/etc/sudoers.d/</tt>.", "rationale": "Without re-authentication, users may access resources or perform tasks for which they\ndo not have authorization.\n<br /><br />\nWhen operating systems provide the capability to escalate a functional capability, it\nis critical that the user re-authenticate.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-11", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-7"], "srg": ["SRG-OS-000373-GPOS-00156", "SRG-OS-000373-GPOS-00157", "SRG-OS-000373-GPOS-00158"], "cis": ["5.2.5"], "ism": ["1546"]}, "control_references": {"cis": ["5.2.5"], "ism": ["1546"]}, "components": [], "identifiers": {}, "ocil_clause": "!authenticate is specified in the sudo config files", "ocil": "To determine if <tt>!authenticate</tt> has not been configured for sudo, run the following command:\n<pre>$ sudo grep -r \\!authenticate /etc/sudoers /etc/sudoers.d/</pre>\nThe command should return no output.", "oval_external_content": null, "fixtext": "Check that Ubuntu 22.04 is not configured to allow users to execute privileged actions without authenticating.\n\nRemove any occurrence of \"!authenticate\" found in \"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory.\n\n$ sed -i '/\\!authenticate/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must require users to reauthenticate for privilege escalation.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must require users to reauthenticate for privilege escalation.", "vuldiscussion": "Without reauthentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.", "checktext": "Verify that \"/etc/sudoers\" has no occurrences of \"!authenticate\" with the following command:\n\n$ sudo grep -ir '!authenticate' /etc/sudoers /etc/sudoers.d/\n\nIf any occurrences of \"!authenticate\" are returned, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to not allow users to execute privileged actions without authenticating.\n\nRemove any occurrence of \"!authenticate\" found in \"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory.\n\n$ sudo sed -i '/\\!authenticate/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/sudo/sudo_remove_no_authenticate/rule.yml", "template": null}