highaccess-controlverified ✓
Ensure sudo does not allow NOPASSWD authentication
sudo-nopasswd-prohibited · RHEL ≥ 8 · 1 impl
Description
The sudoers configuration must not include the NOPASSWD tag. The NOPASSWD option allows users to execute sudo commands without entering their password, bypassing the authentication requirement.
Rationale
Using NOPASSWD in sudoers bypasses the purpose of sudo — to require authentication before granting elevated privileges. An attacker who compromises an account configured with NOPASSWD gains immediate unrestricted elevated access without knowing any password.
Check → Remediate
Checkcommand
grep -r 'NOPASSWD' /etc/sudoers /etc/sudoers.d/ 2>/dev/null | grep -v '^\s*#' | head -1
Remediatemanual
- note:
- Remove all NOPASSWD entries from /etc/sudoers and files in /etc/sudoers.d/. Use visudo to safely edit sudo configuration. Each elevated command must require password authentication.
Framework references
STIG
V-281211 / RHEL-10-600560V-258106 / RHEL-09-611085V-230271
NIST 800-53
IA-11AC-6
Live verification
rhel8:check
#sudo#authentication#privilege#nopasswd