6.3.1 Privilege escalation: sudo

Information

The recommendation is to install and configure sudo, to reflect the privileged command access requirements of all users of the system.

Rationale:

Privileged command access should be limited to and defined by a user's individual needs. Access to a root command prompt should limited, wherever possible, to minimize the risk of inadvertent or deliberate misuse of the account.

The choice between sudo and enhanced RBAC revolves around whether or not the environment is heterogeneous in nature, running different flavors of UNIX, or perhaps different versions of AIX. It may be that sudo is the standard tool of choice for managing privileged command access across an entire UNIX estate. However, if the environment is AIX 6.1+ only, it is recommended that enhanced RBAC is used as the tool of choice. Some implementations however may benefit from a combined approach, utilizing both sudo and enhanced RBAC.

Solution

Install the latest available version for the sudo distribution installed on your system. This version should be 1.9.5p2 or later.

Default Value:

Not installed

Additional Information:

Once installed refer to the sudo man page for information regarding the creation of a custom /etc/sudoers file. It is recommended that, to reduce rule complexity, privileges are assigned at a group level wherever possible:

http://www.gratisoft.us/sudo/man/sudo.html

NOTE: The configuration of sudo is completely dependent on the unique requirements of a given environment.

All editing of the /etc/sudoers file must be performed by the following command:

visudo

Once the /etc/sudoers file has been successfully created, validate the syntax of the file:

visudo -c

Reversion:

De-install the sudo software:

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5)

Plugin: Unix

Control ID: 96acdc57d2be56b76f2f527b4eeb7be10b9663ca94a2b69bf179833dcb2a7e69