← Rules Catalog
mediumaccess-controlverified

Ensure users must provide password for privilege escalation

sudo-require-password · RHEL ≥ 8 · 1 impl

Description

Users should be required to authenticate with their password when using sudo to escalate privileges. NOPASSWD should not be configured.

Rationale

Requiring password authentication for sudo provides an additional layer of security and ensures that if a user session is compromised, the attacker cannot immediately gain elevated privileges.

Check → Remediate

Checkcommand
fail=0
# Check for NOPASSWD in sudoers files
if grep -rE '^\s*[^#].*NOPASSWD' /etc/sudoers /etc/sudoers.d/ 2>/dev/null | grep -v '^#'; then
  echo "FAIL: NOPASSWD found in sudoers"
  fail=1
fi
# Check for !targetpw, !rootpw, !runaspw (STIG requirement)
for opt in targetpw rootpw runaspw; do
  if grep -rqE "^\s*Defaults\s+!${opt}" /etc/sudoers /etc/sudoers.d/ 2>/dev/null; then
    :
  elif grep -rqE "^\s*Defaults\s+${opt}" /etc/sudoers /etc/sudoers.d/ 2>/dev/null; then
    echo "FAIL: Defaults $opt is set (should be !$opt or absent)"
    fail=1
  fi
done
[ "$fail" -eq 0 ] && echo "OK: password required for privilege escalation"
exit $fail
expected_exit:
0
Remediatemanual
note:
Remove NOPASSWD from all sudoers entries. Ensure targetpw, rootpw, and runaspw are not enabled in /etc/sudoers or /etc/sudoers.d/. Add if needed: Defaults !targetpw, Defaults !rootpw, Defaults !runaspw

Framework references

CIS

rhel9 5.2.4rhel10 5.2.4rhel8 5.2.4

STIG

V-281210 / RHEL-10-600550V-237642V-258085 / RHEL-09-432020

NIST 800-53

IA-11AC-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#sudo#password#authentication#privilege-escalation