← Rules Catalog
mediumaccess-controlunverified

Ensure pam_succeed_if is not used in the sudo PAM stack

sudo-no-pam-succeed-if · RHEL ≥ 8 · 1 impl

Description

/etc/pam.d/sudo must not include pam_succeed_if, which can be used to bypass the intended authentication for privilege escalation.

Rationale

A pam_succeed_if line in the sudo stack can silently grant sudo without the expected checks, weakening privilege-escalation control.

Check → Remediate

Checkcommand
if grep -qE '^[[:space:]]*[^#].*pam_succeed_if' /etc/pam.d/sudo 2>/dev/null; then
  echo "FAIL: pam_succeed_if present in /etc/pam.d/sudo"; exit 1
fi
echo "OK: no pam_succeed_if in the sudo PAM stack"; exit 0
expected_exit:
0
Remediatemanual
note:
Remove any pam_succeed_if line from /etc/pam.d/sudo.

Framework references

STIG

V-281206 / RHEL-10-600510V-258118 / RHEL-09-611145

NIST 800-53

AC-6
#sudo#pam#privilege-escalation#stig