mediumaccess-controlverified ✓
Restrict overly permissive sudo privilege escalation
sudo-restrict-privilege-escalation · RHEL ≥ 8 · 1 impl
Description
RHEL 8 must restrict privilege elevation to authorized personnel. Users with sudo access must not have unrestricted ALL=(ALL) ALL entries unless specifically justified.
Rationale
Overly broad sudo rules grant users unrestricted root access which violates least-privilege principles.
Check → Remediate
Checkcommand
# Check for overly broad sudo rules granting ALL=(ALL) ALL result=$(grep -rE '^\s*[^#%].*ALL\s*=\s*\(ALL(:ALL)?\)\s*ALL' /etc/sudoers /etc/sudoers.d/ 2>/dev/null || true) if [ -n "$result" ]; then echo "FAIL: Overly broad sudo rules found:" echo "$result" exit 1 fi echo "OK: No unrestricted ALL=(ALL) ALL entries found" exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Review and restrict any overly broad sudo rules that grant ALL=(ALL) ALL access. Replace with specific commands and paths per least-privilege principles.
Framework references
STIG
V-281207 / RHEL-10-600520V-237641
NIST 800-53
AC-6AC-6(5)
Live verification
rhel8:check
#sudo#privilege-escalation#access-control#least-privilege