iCompaas Support

Profile Applicability:
 • Level 1

Description:
 Requiring users to enter their password when using privilege escalation tools such as sudo ensures accountability and prevents unauthorized or accidental use of elevated privileges.

Rationale:
 Enforcing password prompts for privilege escalation helps maintain security by verifying user identity before granting higher-level access.

Impact:
 Pros:

• Enhances security by requiring authentication for privilege escalation.
  
  

• Supports auditability and accountability.
  
  

Cons:

• May cause minor inconvenience for users needing frequent escalations.
  
  

Default Value:
 By default, sudo prompts for a password unless configured otherwise.

Pre-requisites:

• Root or sudo privileges to modify sudoers configuration.
  
  

Remediation:

Test Plan:

Using Linux command line:

Check sudoers configuration for NOPASSWD usage:

sudo grep -E 'NOPASSWD' /etc/sudoers /etc/sudoers.d/*

1. Verify that users or groups do not have the NOPASSWD tag allowing passwordless escalation.
   
   

Implementation Plan:

Using Linux command line:

Edit sudoers configuration safely using visudo:

visudo

Remove or comment out any NOPASSWD entries to ensure password is required for escalation. For example, change:

user ALL=(ALL) NOPASSWD: ALL
user ALL=(ALL) ALL

1. Save and exit.
   
   

Backout Plan:

Using Linux command line:

1. Re-add NOPASSWD entries if necessary.
   
   

2. Test sudo functionality and user experience.
   
   

References:

• NIST SP 800-53 Revision 5 - AC-6