The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.

From SLES 12 Security Technical Implementation Guide

Associated with: CCI-002038

SV-91763r2_rule The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.

Vulnerability discussion

Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When SUSE operating system provide the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate.Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

Check content

Verify that the SUSE operating system requires reauthentication when changing authenticators, roles, or escalating privileges. Check that "/etc/sudoers" has no occurrences of "NOPASSWD" or "!authenticate" with the following command: # sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers %wheel ALL=(ALL) NOPASSWD: ALL If any occurrences of "!authenticate" are returned, or occurrences of "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.

Fix text

Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.