5.2.5 Ensure users must re-authenticate for privilege escalation

Information

The operating system must be configured so that users must re-authenticate for privilege escalation.

Rationale:

Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.

Solution

Configure the operating system to require users to reauthenticate for privilege escalation.
Check the configuration of the /etc/sudoers file with the following command:

# vim /etc/sudoers

Remove any occurrences of !authenticate tags in the file.
Check the configuration of the /etc/sudoers.d/* files with the following command:

# grep -i authenticate /etc/sudoers /etc/sudoers.d/*

Edit the list of files using this command:

# vim /etc/sudoers.d/{path_of_file}

Remove any occurrences of !authenticate tags in the file(s).

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-11, CCI|CCI-002038, CSCv7|4.3, Rule-ID|SV-204430r603261_rule, STIG-ID|RHEL-07-010350

Plugin: Unix

Control ID: 31e7a2a35e905b96566af9074f833f1911a01859aafa641bd60c727ae72370b0