{"description": "The sudo <tt>NOPASSWD</tt> tag, when specified, allows a user to execute\ncommands using sudo without having to authenticate. This should be disabled\nby making sure that the <tt>NOPASSWD</tt> tag does not exist in\n<tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets\nin <tt>/etc/sudoers.d/</tt>.", "rationale": "Without re-authentication, users may access resources or perform tasks for which they\ndo not have authorization.\n<br /><br />\nWhen operating systems provide the capability to escalate a functional capability, it\nis critical that the user re-authenticate.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-11", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-7"], "srg": ["SRG-OS-000373-GPOS-00156", "SRG-OS-000373-GPOS-00157", "SRG-OS-000373-GPOS-00158"], "ism": ["1546"]}, "control_references": {"ism": ["1546"]}, "components": [], "identifiers": {}, "ocil_clause": "nopasswd is specified in the sudo config files", "ocil": "To determine if <tt>NOPASSWD</tt> has been configured for sudo, run the following command:\n<pre>$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/</pre>\nThe command should return no output.", "oval_external_content": null, "fixtext": "Check that Ubuntu 22.04 is not configured to allow users to execute privileged actions without authenticating.\n\nRemove any occurrence of \"NOPASSWD\" found in \"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory.\n\n$ sed -i '/NOPASSWD/ s/^/# /g' /etc/sudoers /etc/sudoers.d/*", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must require users to provide a password for privilege escalation.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must require users to provide a password for privilege escalation.", "vuldiscussion": "Without reauthentication, users may access resources or perform tasks for which they do not have authorization.\n\nWhen operating systems provide the capability to escalate a functional capability, it is critical that the user reauthenticate.", "checktext": "Verify that \"/etc/sudoers\" has no occurrences of \"NOPASSWD\" with the following command:\n\n$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/\n\nIf any occurrences of \"NOPASSWD\" are returned from the command and have not been documented with the information system security officer (ISSO) as an organizationally defined administrative group using MFA, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to not allow users to execute privileged actions without authenticating with a password.\n\nRemove any occurrence of \"NOPASSWD\" found in \"/etc/sudoers\" file or files in the \"/etc/sudoers.d\" directory.\n\n$ sudo find /etc/sudoers /etc/sudoers.d -type f -exec sed -i '/NOPASSWD/ s/^/# /g' {} \\;"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/sudo/sudo_remove_nopasswd/rule.yml", "template": null}