← Rules Catalog
highaccess-controlverified

Ensure sudo does not allow NOPASSWD authentication

sudo-nopasswd-prohibited · RHEL ≥ 8 · 1 impl

Description

The sudoers configuration must not include the NOPASSWD tag. The NOPASSWD option allows users to execute sudo commands without entering their password, bypassing the authentication requirement.

Rationale

Using NOPASSWD in sudoers bypasses the purpose of sudo — to require authentication before granting elevated privileges. An attacker who compromises an account configured with NOPASSWD gains immediate unrestricted elevated access without knowing any password.

Check → Remediate

Checkcommand
grep -r 'NOPASSWD' /etc/sudoers /etc/sudoers.d/ 2>/dev/null | grep -v '^\s*#' | head -1
Remediatemanual
note:
Remove all NOPASSWD entries from /etc/sudoers and files in /etc/sudoers.d/. Use visudo to safely edit sudo configuration. Each elevated command must require password authentication.

Framework references

STIG

V-281211 / RHEL-10-600560V-258106 / RHEL-09-611085V-230271

NIST 800-53

IA-11AC-6

Live verification

rhel8:check
#sudo#authentication#privilege#nopasswd