mediumaccess-controlverified ✓
Require reauthentication for privilege escalation
sudoers-reauth-required · RHEL ≥ 8 · 1 impl
Description
RHEL 8 must require users to reauthenticate for privilege escalation. The "!authenticate" option must not appear in /etc/sudoers or any file under /etc/sudoers.d, since it disables the sudo password prompt.
Rationale
Disabling reauthentication via "!authenticate" lets a user who stepped away from an authenticated session be impersonated for privileged actions, defeating the purpose of requiring a password for sudo.
Check → Remediate
Checkcommand
if grep -rE '^[[:space:]]*[^#].*!authenticate' /etc/sudoers /etc/sudoers.d/ 2>/dev/null; then exit 1 fi exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Using visudo, remove every occurrence of "!authenticate" from /etc/sudoers and any file under /etc/sudoers.d so that sudo prompts for a password. Edit with visudo only, to avoid syntax errors that would lock out privilege escalation.
Framework references
CIS
rhel10 5.2.5
STIG
V-281208 / RHEL-10-600530V-258086 / RHEL-09-432025V-230272 / RHEL-08-010381
NIST 800-53
IA-11
Live verification
rhel8:check
#sudo#authentication#privilege-escalation