{"description": "The sudo <tt>NOPASSWD</tt> and <tt>!authenticate</tt> option, when\nspecified, allows a user to execute commands using sudo without having to\nauthenticate. This should be disabled by making sure that\n<tt>NOPASSWD</tt> and/or <tt>!authenticate</tt> do not exist in\n<tt>/etc/sudoers</tt> configuration file or any sudo configuration snippets\nin <tt>/etc/sudoers.d/</tt>.\"", "rationale": "Without re-authentication, users may access resources or perform tasks for which they\ndo not have authorization.\n<br /><br />\nWhen operating systems provide the capability to escalate a functional capability, it\nis critical that the user re-authenticate.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-11", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-7"], "srg": ["SRG-OS-000373-GPOS-00156"], "cis": ["5.2.4"], "ism": ["1546"], "pcidss4": ["2.2.6", "2.2"], "stigid": ["UBTU-22-432010"], "stigref": ["SV-260558r1050789_rule"]}, "control_references": {"cis": ["5.2.4"], "ism": ["1546"], "pcidss4": ["2.2.6", "2.2"], "stigid": ["UBTU-22-432010"]}, "components": [], "identifiers": {}, "ocil_clause": "nopasswd and/or !authenticate is enabled in sudo", "ocil": "To determine if <tt>NOPASSWD</tt> or <tt>!authenticate</tt> have been configured for\nsudo, run the following command:\n<pre>$ sudo grep -ri \"nopasswd\\|\\!authenticate\" /etc/sudoers /etc/sudoers.d/</pre>\nThe command should return no output.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure Users Re-Authenticate for Privilege Escalation - sudo", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/sudo/sudo_require_authentication/rule.yml", "template": null}