mediumaccess-controlverified ✓
Ensure users must provide password for privilege escalation
sudo-require-password · RHEL ≥ 8 · 1 impl
Description
Users should be required to authenticate with their password when using sudo to escalate privileges. NOPASSWD should not be configured.
Rationale
Requiring password authentication for sudo provides an additional layer of security and ensures that if a user session is compromised, the attacker cannot immediately gain elevated privileges.
Check → Remediate
Checkcommand
fail=0
# Check for NOPASSWD in sudoers files
if grep -rE '^\s*[^#].*NOPASSWD' /etc/sudoers /etc/sudoers.d/ 2>/dev/null | grep -v '^#'; then
echo "FAIL: NOPASSWD found in sudoers"
fail=1
fi
# Check for !targetpw, !rootpw, !runaspw (STIG requirement)
for opt in targetpw rootpw runaspw; do
if grep -rqE "^\s*Defaults\s+!${opt}" /etc/sudoers /etc/sudoers.d/ 2>/dev/null; then
:
elif grep -rqE "^\s*Defaults\s+${opt}" /etc/sudoers /etc/sudoers.d/ 2>/dev/null; then
echo "FAIL: Defaults $opt is set (should be !$opt or absent)"
fail=1
fi
done
[ "$fail" -eq 0 ] && echo "OK: password required for privilege escalation"
exit $fail
- expected_exit:
- 0
Remediatemanual
- note:
- Remove NOPASSWD from all sudoers entries. Ensure targetpw, rootpw, and runaspw are not enabled in /etc/sudoers or /etc/sudoers.d/. Add if needed: Defaults !targetpw, Defaults !rootpw, Defaults !runaspw
Framework references
CIS
rhel9 5.2.4rhel10 5.2.4rhel8 5.2.4
STIG
V-281210 / RHEL-10-600550V-237642V-258085 / RHEL-09-432020
NIST 800-53
IA-11AC-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#sudo#password#authentication#privilege-escalation