STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must remove !authenticate option from sudo config files.

DISA Rule

SV-215261r508663_rule

Vulnerability Number

V-215261

Group Title

SRG-OS-000373-GPOS-00156

Rule Version

AIX7-00-002062

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Edit "/etc/sudoers" using "visudo" command to remove all the "!authenticate" options:
# visudo -f /etc/sudoers

Editing a sudo config file that is in "/etc/sudoers.d/" directory and contains "!authenticate" options, use the "visudo" command as follows:
# visudo -f /etc/sudoers.d/<config_file_name>

Check Contents

If sudo is not used on AIX, this is Not Applicable.

Run the following command to find "!authenticate" option in "/etc/sudoers" file:
# grep "!authenticate" /etc/sudoers

If there is a "!authenticate" option found in "/etc/sudoers" file, this is a finding.

Run the following command to find "!authenticate" option in one of the sudo config files in "/etc/sudoers.d/" directory:
# find /etc/sudoers.d -type f -exec grep -l "!authenticate" {} \;

The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "!authenticate" option.

If above command found a config file that is in "/etc/sudoers.d/" directory and that contains the "!authenticate" option, this is a finding.

Vulnerability Number

V-215261

Documentable

False

Rule Version

AIX7-00-002062

Severity Override Guidance

If sudo is not used on AIX, this is Not Applicable.

Run the following command to find "!authenticate" option in "/etc/sudoers" file:
# grep "!authenticate" /etc/sudoers

If there is a "!authenticate" option found in "/etc/sudoers" file, this is a finding.

Run the following command to find "!authenticate" option in one of the sudo config files in "/etc/sudoers.d/" directory:
# find /etc/sudoers.d -type f -exec grep -l "!authenticate" {} \;

The above command displays all sudo config files that are in "/etc/sudoers.d/" directory and they contain the "!authenticate" option.

If above command found a config file that is in "/etc/sudoers.d/" directory and that contains the "!authenticate" option, this is a finding.

Check Content Reference

M

Target Key

4012

Comments