4.3.4 Ensure re-authentication for privilege escalation is not disabled globally

Information

The operating system must be configured so that users must re-authenticate for privilege escalation.

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.

Solution

Configure the operating system to require users to reauthenticate for privilege escalation.

Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file.

Remove any occurrences of !authenticate tags in the file(s).

See Also

https://workbench.cisecurity.org/benchmarks/12705