← Back to IBM AIX 7.x Security Technical Implementation Guide

V-215260

CAT I (High)

AIX must remove NOPASSWD tag from sudo config files.

Rule ID

SV-215260r1050789_rule

STIG

IBM AIX 7.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-004895 CCI-002038

Discussion

sudo command does not require reauthentication if NOPASSWD tag is specified in /etc/sudoers config file, or sudoers files in /etc/sudoers.d/ directory. With this tag in sudoers file, users are not required to reauthenticate for privilege escalation.

Check Content

If sudo is not used on AIX, this is Not Applicable.

Run the following command to find the "NOPASSWD" tag in "/etc/sudoers" file:
# grep NOPASSWD /etc/sudoers

If there is a "NOPASSWD" tag found in "/etc/sudoers" file, this is a finding.

Run the following command to find the "NOPASSWD" tag in one of the sudo config files in "/etc/sudoers.d/" directory:
# find /etc/sudoers.d -type f -exec grep -l NOPASSWD {} \;

The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "NOPASSWD" tag.

If above command found a config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tag, this is a finding.

Fix Text

Edit  "/etc/sudoers" using "visudo" command to remove all the "NOPASSWD" tags:
# visudo -f 

Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains the "NOPASSWD" tags, use "visudo" the command as follows:
# visudo -f /etc/sudoers.d/<config_file_name>