Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
Description
The sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/.
Rationale
Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it
is critical that the user re-authenticate.
Shell script
The following script can be run on the host to remediate the issue.
for f in /etc/sudoers /etc/sudoers.d/\* ; do
if [ ! -e "$f" ] ; then
continue
fi
matching\_list=$(grep -P '^(?!#).\*[\s]+\!authenticate.\*$' $f | uniq )
if ! test -z "$matching\_list"; then
while IFS= read -r entry; do
# comment out "!authenticate" matches to preserve user data
sed -i "s/^${entry}$/# &/g" $f
done <<< "$matching\_list"
/usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
fi
done
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Find /etc/sudoers.d/ files
find:
paths:
- /etc/sudoers.d/
register: sudoers
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- sudo\_remove\_no\_authenticate
- name: Remove lines containing !authenticate from sudoers files
replace:
regexp: (^(?!#).\*[\s]+\!authenticate.\*$)
replace: '# \g<1>'
path: '{{ item.path }}'
validate: /usr/sbin/visudo -cf %s
with\_items:
- path: /etc/sudoers
- '{{ sudoers.files }}'
tags:
- NIST-800-53-CM-6(a)
- NIST-800-53-IA-11
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- sudo\_remove\_no\_authenticate
