{"description": "The sudoers security policy requires that users authenticate themselves before they can use sudo.\nWhen sudoers requires authentication, it validates the invoking user's credentials.\nThe expected output for:\n sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$'
\n Defaults !targetpw\n Defaults !rootpw\n Defaults !runaspw
\nor if cvtsudoers not supported:\n sudo find /etc/sudoers /etc/sudoers.d \\( \\! -name '*~' -a \\! -name '*.*' \\) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\\b(rootpw|targetpw|runaspw)' -- {} \\; \n /etc/sudoers:Defaults !targetpw\n /etc/sudoers:Defaults !rootpw\n /etc/sudoers:Defaults !runaspw
", "rationale": "If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt\nthe invoking user for the \"root\" user password.", "severity": "medium", "references": {"nist": ["CM-6(b)", "CM-6.1(iv)"], "srg": ["SRG-OS-000480-GPOS-00227"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "invoke user passwd when using sudo", "ocil": "Run the following command to Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation:\n sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)'
\nor if cvtsudoers not supported:\n sudo find /etc/sudoers /etc/sudoers.d \\( \\! -name '*~' -a \\! -name '*.*' \\) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\\b(rootpw|targetpw|runaspw)' -- {} \\; \nIf no results are returned, this is a finding.\nIf conflicting results are returned, this is a finding.\nIf \"Defaults !targetpw\" is not defined, this is a finding.\nIf \"Defaults !rootpw\" is not defined, this is a finding.\nIf \"Defaults !runaspw\" is not defined, this is a finding.", "oval_external_content": null, "fixtext": "Define the following in the Defaults section of the /etc/sudoers file or a configuration file in the /etc/sudoers.d/ directory:\nDefaults !targetpw\nDefaults !rootpw\nDefaults !runaspw", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must use the invoking user's password for privilege escalation when using \"sudo\".", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must use the invoking user's password for privilege escalation when using \"sudo\".", "vuldiscussion": "If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt the invoking user for the \"root\" user password.", "checktext": "Verify that the sudoers security policy is configured to use the invoking user's password for privilege escalation with the following command:\n\n$ sudo egrep -ir '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/ | grep -v '#'\n\n/etc/sudoers:Defaults !targetpw\n/etc/sudoers:Defaults !rootpw\n/etc/sudoers:Defaults !runaspw\n\nIf no results are returned, this is a finding.\n\nIf results are returned from more than one file location, this is a finding.\n\nIf \"Defaults !targetpw\" is not defined, this is a finding.\n\nIf \"Defaults !rootpw\" is not defined, this is a finding.\n\nIf \"Defaults !runaspw\" is not defined, this is a finding.", "fixtext": "Define the following in the Defaults section of the /etc/sudoers file or a single configuration file in the /etc/sudoers.d/ directory:\n\nDefaults !targetpw\nDefaults !rootpw\nDefaults !runaspw"}}, "platform": "package[sudo]", "platforms": ["package[sudo]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_sudo"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure invoking users password for privilege escalation when using sudo", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/sudo/sudoers_validate_passwd/rule.yml", "template": null}