mediumaccess-controlunverified
Ensure pam_succeed_if is not used in the sudo PAM stack
sudo-no-pam-succeed-if · RHEL ≥ 8 · 1 impl
Description
/etc/pam.d/sudo must not include pam_succeed_if, which can be used to bypass the intended authentication for privilege escalation.
Rationale
A pam_succeed_if line in the sudo stack can silently grant sudo without the expected checks, weakening privilege-escalation control.
Check → Remediate
Checkcommand
if grep -qE '^[[:space:]]*[^#].*pam_succeed_if' /etc/pam.d/sudo 2>/dev/null; then echo "FAIL: pam_succeed_if present in /etc/pam.d/sudo"; exit 1 fi echo "OK: no pam_succeed_if in the sudo PAM stack"; exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Remove any pam_succeed_if line from /etc/pam.d/sudo.
Framework references
STIG
V-281206 / RHEL-10-600510V-258118 / RHEL-09-611145
NIST 800-53
AC-6
#sudo#pam#privilege-escalation#stig