4.3.4 Ensure users must provide password for privilege escalation

Information

The operating system must be configured so that users must provide a password for privilege escalation.

Without (re-)authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical the user (re-)authenticate.

Solution

Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file.

Remove any line with occurrences of NOPASSWD tags in the file.

Impact:

This will prevent automated processes from being able to elevate privileges.

See Also

https://workbench.cisecurity.org/benchmarks/13007

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: Unix

Control ID: 59ad04ff39bfa689678c3702a90e9b44a13db2539ac618a23f10fd7a409d9fd9