The SUSE operating system must reauthenticate users when changing authenticators, roles, or escalating privileges.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-217112	SRG-OS-000373-GPOS-00156	SLES-12-010110	SV-217112r1050789_rule	2024-11-25	3

Description
Without reauthentication, users may access resources or perform tasks for which they do not have authorization. When SUSE operating system provide the capability to change user authenticators, change security roles, or escalate a functional capability, it is critical the user reauthenticate. Satisfies: SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158

ℹ️ Check
Verify that the SUSE operating system requires reauthentication when changing authenticators, roles, or escalating privileges. Check that "/etc/sudoers" has no occurrences of "NOPASSWD" or "!authenticate" with the following command: > sudo egrep -i '(nopasswd\|!authenticate)' /etc/sudoers If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.

ℹ️ Check

Verify that the SUSE operating system requires reauthentication when changing authenticators, roles, or escalating privileges. Check that "/etc/sudoers" has no occurrences of "NOPASSWD" or "!authenticate" with the following command: > sudo egrep -i '(nopasswd|!authenticate)' /etc/sudoers If any uncommented lines containing "!authenticate", or "NOPASSWD" are returned and active accounts on the system have valid passwords, this is a finding.

✔️ Fix
Configure the SUSE operating system to remove any occurrence of "NOPASSWD" or "!authenticate" found in the "/etc/sudoers" file. If the system does not use passwords for authentication, the "NOPASSWD" tag may exist in the file.