← Rules Catalog
mediumaccess-controlverified

Require reauthentication for privilege escalation

sudoers-reauth-required · RHEL ≥ 8 · 1 impl

Description

RHEL 8 must require users to reauthenticate for privilege escalation. The "!authenticate" option must not appear in /etc/sudoers or any file under /etc/sudoers.d, since it disables the sudo password prompt.

Rationale

Disabling reauthentication via "!authenticate" lets a user who stepped away from an authenticated session be impersonated for privileged actions, defeating the purpose of requiring a password for sudo.

Check → Remediate

Checkcommand
if grep -rE '^[[:space:]]*[^#].*!authenticate' /etc/sudoers /etc/sudoers.d/ 2>/dev/null; then
  exit 1
fi
exit 0
expected_exit:
0
Remediatemanual
note:
Using visudo, remove every occurrence of "!authenticate" from /etc/sudoers and any file under /etc/sudoers.d so that sudo prompts for a password. Edit with visudo only, to avoid syntax errors that would lock out privilege escalation.

Framework references

CIS

rhel10 5.2.5

STIG

V-281208 / RHEL-10-600530V-258086 / RHEL-09-432025V-230272 / RHEL-08-010381

NIST 800-53

IA-11

Live verification

rhel8:check
#sudo#authentication#privilege-escalation