TOSS must require users to provide a password for privilege escalation.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-252959	SRG-OS-000373-GPOS-00157	TOSS-04-020190	SV-252959r987879_rule	2024-05-30	2

Description
Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user reauthenticate.

ℹ️ Check
Verify that "/etc/sudoers" has no occurrences of "NOPASSWD." Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" by running the following command: $ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/* %admin ALL=(ALL) NOPASSWD: ALL If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the information system security officer (ISSO) as an organizationally defined administrative group utilizing multifactor authentication (MFA), this is a finding.

ℹ️ Check

Verify that "/etc/sudoers" has no occurrences of "NOPASSWD." Check that the "/etc/sudoers" file has no occurrences of "NOPASSWD" by running the following command: $ sudo grep -i nopasswd /etc/sudoers /etc/sudoers.d/* %admin ALL=(ALL) NOPASSWD: ALL If any occurrences of "NOPASSWD" are returned from the command and have not been documented with the information system security officer (ISSO) as an organizationally defined administrative group utilizing multifactor authentication (MFA), this is a finding.

✔️ Fix
Remove any occurrence of "NOPASSWD" found in "/etc/sudoers" file or files in the "/etc/sudoers.d" directory.