{"description": "The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root).\n\nUser specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and <tt>ALL</tt> or <tt>root</tt> should not be used.", "rationale": "It is common that the command to be executed does not require superuser rights (editing a file\nwhose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit\nany attempt of privilege escalation through a command, it is better to apply normal user rights.", "severity": "medium", "references": {"anssi": ["R40"]}, "control_references": {"anssi": ["R40"]}, "components": [], "identifiers": {}, "ocil_clause": "/etc/sudoers file contains rules that allow non-root users to run commands as root", "ocil": "To determine if the users are allowed to run commands as root, run the following commands:\n<pre>$ sudo grep -PR '^\\s*((?!root\\b)[\\w]+)\\s*(\\w+)\\s*=\\s*(.*,)?\\s*[^\\(\\s]' /etc/sudoers /etc/sudoers.d/</pre>\nand\n<pre>$ sudo grep -PR '^\\s*((?!root\\b)[\\w]+)\\s*(\\w+)\\s*=\\s*(.*,)?\\s*\\([\\w\\s]*\\b(root|ALL)\\b[\\w\\s]*\\)' /etc/sudoers /etc/sudoers.d/</pre>\nBoth commands should return no output.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[sudo]", "platforms": ["package[sudo]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_sudo"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Don't target root user in the sudoers file", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/sudo/sudoers_no_root_target/rule.yml", "template": null}